import bind-9.11.20-5.el8
This commit is contained in:
parent
c155b2de68
commit
864e18c0c8
@ -1,2 +1,2 @@
|
||||
550367762a653ac5ed0eb04b316d06517650a925 SOURCES/bind-9.11.13.tar.gz
|
||||
ff6ad0d3f9282a77786e93eb889154008ef1ccdf SOURCES/bind-9.11.20.tar.gz
|
||||
a164fcad1d64d6b5fab5034928cb7260f1fa8fdd SOURCES/random.data
|
||||
|
2
.gitignore
vendored
2
.gitignore
vendored
@ -1,2 +1,2 @@
|
||||
SOURCES/bind-9.11.13.tar.gz
|
||||
SOURCES/bind-9.11.20.tar.gz
|
||||
SOURCES/random.data
|
||||
|
@ -79,10 +79,10 @@ index 03a72d5..4c1cb6d 100644
|
||||
@DLZ_DRIVER_RULES@
|
||||
|
||||
diff --git a/bin/named-sdb/main.c b/bin/named-sdb/main.c
|
||||
index 108b8d6..a943421 100644
|
||||
index c9fc3cc..148ebb3 100644
|
||||
--- a/bin/named-sdb/main.c
|
||||
+++ b/bin/named-sdb/main.c
|
||||
@@ -93,6 +93,10 @@
|
||||
@@ -97,6 +97,10 @@
|
||||
* Include header files for database drivers here.
|
||||
*/
|
||||
/* #include "xxdb.h" */
|
||||
@ -93,7 +93,7 @@ index 108b8d6..a943421 100644
|
||||
|
||||
#ifdef CONTRIB_DLZ
|
||||
/*
|
||||
@@ -1069,6 +1073,11 @@ setup(void) {
|
||||
@@ -1134,6 +1138,11 @@ setup(void) {
|
||||
ns_main_earlyfatal("isc_app_start() failed: %s",
|
||||
isc_result_totext(result));
|
||||
|
||||
@ -105,7 +105,7 @@ index 108b8d6..a943421 100644
|
||||
isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
|
||||
ISC_LOG_NOTICE, "starting %s %s%s%s <id:%s>",
|
||||
ns_g_product, ns_g_version,
|
||||
@@ -1269,6 +1278,75 @@ setup(void) {
|
||||
@@ -1334,6 +1343,75 @@ setup(void) {
|
||||
isc_result_totext(result));
|
||||
#endif
|
||||
|
||||
@ -181,7 +181,7 @@ index 108b8d6..a943421 100644
|
||||
ns_server_create(ns_g_mctx, &ns_g_server);
|
||||
|
||||
#ifdef HAVE_LIBSECCOMP
|
||||
@@ -1311,6 +1389,11 @@ cleanup(void) {
|
||||
@@ -1376,6 +1454,11 @@ cleanup(void) {
|
||||
|
||||
dns_name_destroy();
|
||||
|
||||
@ -288,10 +288,10 @@ index c7e0868..95ab742 100644
|
||||
+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} zone2sqlite@EXEEXT@ ${DESTDIR}${sbindir}
|
||||
${INSTALL_DATA} ${srcdir}/zone2ldap.1 ${DESTDIR}${mandir}/man1/zone2ldap.1
|
||||
diff --git a/configure.ac b/configure.ac
|
||||
index eff9f05..d05ad1f 100644
|
||||
index f85f45f..7d28c52 100644
|
||||
--- a/configure.ac
|
||||
+++ b/configure.ac
|
||||
@@ -5429,6 +5429,8 @@ AC_CONFIG_FILES([
|
||||
@@ -5400,6 +5400,8 @@ AC_CONFIG_FILES([
|
||||
bin/named/unix/Makefile
|
||||
bin/named-pkcs11/Makefile
|
||||
bin/named-pkcs11/unix/Makefile
|
||||
@ -300,9 +300,9 @@ index eff9f05..d05ad1f 100644
|
||||
bin/nsupdate/Makefile
|
||||
bin/pkcs11/Makefile
|
||||
bin/python/Makefile
|
||||
@@ -5453,6 +5455,7 @@ AC_CONFIG_FILES([
|
||||
bin/python/isc/tests/dnskey_test.py
|
||||
@@ -5424,6 +5426,7 @@ AC_CONFIG_FILES([
|
||||
bin/python/isc/tests/policy_test.py
|
||||
bin/python/isc/utils.py
|
||||
bin/rndc/Makefile
|
||||
+ bin/sdb_tools/Makefile
|
||||
bin/tests/Makefile
|
||||
|
@ -1,292 +0,0 @@
|
||||
From a64853318ade406ef0db744918bb2828cf0a6247 Mon Sep 17 00:00:00 2001
|
||||
From: Stephen Morris <stephen@isc.org>
|
||||
Date: Thu, 5 Mar 2020 18:46:46 +0000
|
||||
Subject: [PATCH] Add test for reduction in number of fetches
|
||||
|
||||
Add a system test that counts how many address fetches are made
|
||||
for different numbers of NS records and checks that the number
|
||||
are successfully limited.
|
||||
|
||||
(cherry picked from commit 5fb65f45443225180296b361a12be0fead5049f2)
|
||||
---
|
||||
bin/tests/system/resolver/clean.sh | 4 +-
|
||||
bin/tests/system/resolver/ns4/named.conf.in | 5 ++
|
||||
bin/tests/system/resolver/ns4/root.db | 4 +
|
||||
bin/tests/system/resolver/ns4/sourcens.db | 89 +++++++++++++++++++++
|
||||
bin/tests/system/resolver/ns5/named.conf.in | 9 ++-
|
||||
bin/tests/system/resolver/ns6/named.conf.in | 15 ++++
|
||||
bin/tests/system/resolver/ns6/targetns.db | 23 ++++++
|
||||
bin/tests/system/resolver/tests.sh | 34 ++++++++
|
||||
8 files changed, 180 insertions(+), 3 deletions(-)
|
||||
create mode 100644 bin/tests/system/resolver/ns4/sourcens.db
|
||||
create mode 100644 bin/tests/system/resolver/ns6/targetns.db
|
||||
|
||||
diff --git a/bin/tests/system/resolver/clean.sh b/bin/tests/system/resolver/clean.sh
|
||||
index 4dfde1f3e7..b3e4bc0b5d 100644
|
||||
--- a/bin/tests/system/resolver/clean.sh
|
||||
+++ b/bin/tests/system/resolver/clean.sh
|
||||
@@ -17,8 +17,7 @@ rm -f */named.memstats
|
||||
rm -f */named.run
|
||||
rm -f */ans.run
|
||||
rm -f */*.jdb
|
||||
-rm -f dig.out dig.out.*
|
||||
-rm -f dig.*.out.*
|
||||
+rm -f dig.out dig.out.* dig.*.out.*
|
||||
rm -f dig.*.foo.*
|
||||
rm -f dig.*.bar.*
|
||||
rm -f dig.*.prime.*
|
||||
@@ -28,6 +27,7 @@ rm -f ns6/example.net.db.signed ns6/example.net.db
|
||||
rm -f ns6/ds.example.net.db.signed ns6/ds.example.net.db
|
||||
rm -f ns6/dsset-ds.example.net*
|
||||
rm -f ns6/dsset-example.net* ns6/example.net.db.signed.jnl
|
||||
+rm -f ns6/named.stats*
|
||||
rm -f ns6/to-be-removed.tld.db ns6/to-be-removed.tld.db.jnl
|
||||
rm -f ns7/server.db ns7/server.db.jnl
|
||||
rm -f resolve.out.*.test*
|
||||
diff --git a/bin/tests/system/resolver/ns4/named.conf.in b/bin/tests/system/resolver/ns4/named.conf.in
|
||||
index c679dc3151..56fe5d0dd8 100644
|
||||
--- a/bin/tests/system/resolver/ns4/named.conf.in
|
||||
+++ b/bin/tests/system/resolver/ns4/named.conf.in
|
||||
@@ -50,6 +50,11 @@ zone "broken" {
|
||||
file "broken.db";
|
||||
};
|
||||
|
||||
+zone "sourcens" {
|
||||
+ type master;
|
||||
+ file "sourcens.db";
|
||||
+};
|
||||
+
|
||||
key rndc_key {
|
||||
secret "1234abcd8765";
|
||||
algorithm hmac-sha256;
|
||||
diff --git a/bin/tests/system/resolver/ns4/root.db b/bin/tests/system/resolver/ns4/root.db
|
||||
index 721765d1be..ae541340da 100644
|
||||
--- a/bin/tests/system/resolver/ns4/root.db
|
||||
+++ b/bin/tests/system/resolver/ns4/root.db
|
||||
@@ -24,3 +24,7 @@ example.net. NS ns.example.net.
|
||||
ns.example.net. A 10.53.0.6
|
||||
no-questions. NS ns.no-questions.
|
||||
ns.no-questions. A 10.53.0.8
|
||||
+sourcens. NS ns.sourcens.
|
||||
+ns.sourcens. A 10.53.0.4
|
||||
+targetns. NS ns.targetns.
|
||||
+ns.targetns. A 10.53.0.6
|
||||
diff --git a/bin/tests/system/resolver/ns4/sourcens.db b/bin/tests/system/resolver/ns4/sourcens.db
|
||||
new file mode 100644
|
||||
index 0000000000..b02cc6e835
|
||||
--- /dev/null
|
||||
+++ b/bin/tests/system/resolver/ns4/sourcens.db
|
||||
@@ -0,0 +1,89 @@
|
||||
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
|
||||
+;
|
||||
+; This Source Code Form is subject to the terms of the Mozilla Public
|
||||
+; License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
+; file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
||||
+;
|
||||
+; See the COPYRIGHT file distributed with this work for additional
|
||||
+; information regarding copyright ownership.
|
||||
+
|
||||
+; This zone contains a set of delegations with varying numbers of NS
|
||||
+; records. This is used to check that BIND is limiting the number of
|
||||
+; NS records it follows when resolving a delegation. It tests all
|
||||
+; numbers of NS records up to twice the number followed.
|
||||
+
|
||||
+$TTL 60
|
||||
+@ IN SOA marka.isc.org. ns.server. (
|
||||
+ 2010 ; serial
|
||||
+ 600 ; refresh
|
||||
+ 600 ; retry
|
||||
+ 1200 ; expire
|
||||
+ 600 ; minimum
|
||||
+ )
|
||||
+@ NS ns
|
||||
+ns A 10.53.0.4
|
||||
+
|
||||
+target1 NS ns.fake11.targetns.
|
||||
+
|
||||
+target2 NS ns.fake21.targetns.
|
||||
+ NS ns.fake22.targetns.
|
||||
+
|
||||
+target3 NS ns.fake31.targetns.
|
||||
+ NS ns.fake32.targetns.
|
||||
+ NS ns.fake33.targetns.
|
||||
+
|
||||
+target4 NS ns.fake41.targetns.
|
||||
+ NS ns.fake42.targetns.
|
||||
+ NS ns.fake43.targetns.
|
||||
+ NS ns.fake44.targetns.
|
||||
+
|
||||
+target5 NS ns.fake51.targetns.
|
||||
+ NS ns.fake52.targetns.
|
||||
+ NS ns.fake53.targetns.
|
||||
+ NS ns.fake54.targetns.
|
||||
+ NS ns.fake55.targetns.
|
||||
+
|
||||
+target6 NS ns.fake61.targetns.
|
||||
+ NS ns.fake62.targetns.
|
||||
+ NS ns.fake63.targetns.
|
||||
+ NS ns.fake64.targetns.
|
||||
+ NS ns.fake65.targetns.
|
||||
+ NS ns.fake66.targetns.
|
||||
+
|
||||
+target7 NS ns.fake71.targetns.
|
||||
+ NS ns.fake72.targetns.
|
||||
+ NS ns.fake73.targetns.
|
||||
+ NS ns.fake74.targetns.
|
||||
+ NS ns.fake75.targetns.
|
||||
+ NS ns.fake76.targetns.
|
||||
+ NS ns.fake77.targetns.
|
||||
+
|
||||
+target8 NS ns.fake81.targetns.
|
||||
+ NS ns.fake82.targetns.
|
||||
+ NS ns.fake83.targetns.
|
||||
+ NS ns.fake84.targetns.
|
||||
+ NS ns.fake85.targetns.
|
||||
+ NS ns.fake86.targetns.
|
||||
+ NS ns.fake87.targetns.
|
||||
+ NS ns.fake88.targetns.
|
||||
+
|
||||
+target9 NS ns.fake91.targetns.
|
||||
+ NS ns.fake92.targetns.
|
||||
+ NS ns.fake93.targetns.
|
||||
+ NS ns.fake94.targetns.
|
||||
+ NS ns.fake95.targetns.
|
||||
+ NS ns.fake96.targetns.
|
||||
+ NS ns.fake97.targetns.
|
||||
+ NS ns.fake98.targetns.
|
||||
+ NS ns.fake99.targetns.
|
||||
+
|
||||
+target10 NS ns.fake101.targetns.
|
||||
+ NS ns.fake102.targetns.
|
||||
+ NS ns.fake103.targetns.
|
||||
+ NS ns.fake104.targetns.
|
||||
+ NS ns.fake105.targetns.
|
||||
+ NS ns.fake106.targetns.
|
||||
+ NS ns.fake107.targetns.
|
||||
+ NS ns.fake108.targetns.
|
||||
+ NS ns.fake109.targetns.
|
||||
+ NS ns.fake1010.targetns.
|
||||
diff --git a/bin/tests/system/resolver/ns5/named.conf.in b/bin/tests/system/resolver/ns5/named.conf.in
|
||||
index 07205c9938..90818e4556 100644
|
||||
--- a/bin/tests/system/resolver/ns5/named.conf.in
|
||||
+++ b/bin/tests/system/resolver/ns5/named.conf.in
|
||||
@@ -46,4 +46,11 @@ zone "delegation-only" {
|
||||
type delegation-only;
|
||||
};
|
||||
|
||||
-include "trusted.conf";
|
||||
+key rndc_key {
|
||||
+ secret "1234abcd8765";
|
||||
+ algorithm hmac-sha256;
|
||||
+};
|
||||
+
|
||||
+controls {
|
||||
+ inet 10.53.0.5 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
|
||||
+};
|
||||
diff --git a/bin/tests/system/resolver/ns6/named.conf.in b/bin/tests/system/resolver/ns6/named.conf.in
|
||||
index 7df48558b8..4b01f9ba14 100644
|
||||
--- a/bin/tests/system/resolver/ns6/named.conf.in
|
||||
+++ b/bin/tests/system/resolver/ns6/named.conf.in
|
||||
@@ -22,6 +22,7 @@ options {
|
||||
recursion no;
|
||||
// minimal-responses yes;
|
||||
querylog yes;
|
||||
+ statistics-file "named.stats";
|
||||
/*
|
||||
* test that named loads with root-delegation-only that
|
||||
* has a exclude list.
|
||||
@@ -67,3 +68,17 @@ zone "delegation-only" {
|
||||
type master;
|
||||
file "delegation-only.db";
|
||||
};
|
||||
+
|
||||
+zone "targetns" {
|
||||
+ type master;
|
||||
+ file "targetns.db";
|
||||
+};
|
||||
+
|
||||
+key rndc_key {
|
||||
+ secret "1234abcd8765";
|
||||
+ algorithm hmac-sha256;
|
||||
+};
|
||||
+
|
||||
+controls {
|
||||
+ inet 10.53.0.6 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
|
||||
+};
|
||||
diff --git a/bin/tests/system/resolver/ns6/targetns.db b/bin/tests/system/resolver/ns6/targetns.db
|
||||
new file mode 100644
|
||||
index 0000000000..036e64580b
|
||||
--- /dev/null
|
||||
+++ b/bin/tests/system/resolver/ns6/targetns.db
|
||||
@@ -0,0 +1,23 @@
|
||||
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
|
||||
+;
|
||||
+; This Source Code Form is subject to the terms of the Mozilla Public
|
||||
+; License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
+; file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
||||
+;
|
||||
+; See the COPYRIGHT file distributed with this work for additional
|
||||
+; information regarding copyright ownership.
|
||||
+
|
||||
+; In the test for checking how many NS records BIND will follow, this
|
||||
+; zone marks the server as the one to which the NS lookups will be
|
||||
+; directed.
|
||||
+
|
||||
+$TTL 300
|
||||
+@ IN SOA marka.isc.org. ns.server. (
|
||||
+ 2010 ; serial
|
||||
+ 600 ; refresh
|
||||
+ 600 ; retry
|
||||
+ 1200 ; expire
|
||||
+ 600 ; minimum
|
||||
+ )
|
||||
+ NS ns
|
||||
+ns A 10.53.0.6
|
||||
diff --git a/bin/tests/system/resolver/tests.sh b/bin/tests/system/resolver/tests.sh
|
||||
index 12d2819e30..178ba4d79b 100755
|
||||
--- a/bin/tests/system/resolver/tests.sh
|
||||
+++ b/bin/tests/system/resolver/tests.sh
|
||||
@@ -247,6 +247,40 @@ if [ -x ${RESOLVE} ] ; then
|
||||
status=`expr $status + $ret`
|
||||
fi
|
||||
|
||||
+n=`expr $n + 1`
|
||||
+echo_i "check that the resolver limits the number of NS records it follows in a referral response ($n)"
|
||||
+# ns5 is the recusor being tested. ns4 holds the sourcens zone containing names with varying numbers of NS
|
||||
+# records pointing to non-existent nameservers in the targetns zone on ns6.
|
||||
+ret=0
|
||||
+$RNDCCMD 10.53.0.5 flush || ret=1 # Ensure cache is empty before doing this test
|
||||
+for nscount in 1 2 3 4 5 6 7 8 9 10
|
||||
+do
|
||||
+ # Verify number of NS records at source server
|
||||
+ $DIG $DIGOPTS +norecurse @10.53.0.4 target${nscount}.sourcens ns > dig.ns4.out.${nscount}.${n}
|
||||
+ sourcerecs=`grep NS dig.ns4.out.${nscount}.${n} | grep -v ';' | wc -l`
|
||||
+ test $sourcerecs -eq $nscount || ret=1
|
||||
+ test $sourcerecs -eq $nscount || echo_i "NS count incorrect for target${nscount}.sourcens"
|
||||
+ # Expected queries = 2 * number of NS records, up to a maximum of 10.
|
||||
+ expected=`expr 2 \* $nscount`
|
||||
+ if [ $expected -gt 10 ]; then expected=10; fi
|
||||
+ # Work out the queries made by checking statistics on the target before and after the test
|
||||
+ $RNDCCMD 10.53.0.6 stats || ret=1
|
||||
+ initial_count=`awk '/responses sent/ {print $1}' ns6/named.stats`
|
||||
+ mv ns6/named.stats ns6/named.stats.initial.${nscount}.${n}
|
||||
+ $DIG $DIGOPTS @10.53.0.5 target${nscount}.sourcens A > dig.ns5.out.${nscount}.${n} || ret=1
|
||||
+ $RNDCCMD 10.53.0.6 stats || ret=1
|
||||
+ final_count=`awk '/responses sent/ {print $1}' ns6/named.stats`
|
||||
+ mv ns6/named.stats ns6/named.stats.final.${nscount}.${n}
|
||||
+ # Check number of queries during the test is as expected
|
||||
+ actual=`expr $final_count - $initial_count`
|
||||
+ if [ $actual -ne $expected ]; then
|
||||
+ echo_i "query count error: $nscount NS records: expected queries $expected, actual $actual"
|
||||
+ ret=1
|
||||
+ fi
|
||||
+done
|
||||
+if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||
+status=`expr $status + $ret`
|
||||
+
|
||||
n=`expr $n + 1`
|
||||
echo_i "RT21594 regression test check setup ($n)"
|
||||
ret=0
|
||||
--
|
||||
2.21.1
|
||||
|
@ -1,78 +0,0 @@
|
||||
From eee06b7744c4999ec3c7cb0654f97a9b4c79f77f Mon Sep 17 00:00:00 2001
|
||||
From: Mark Andrews <marka@isc.org>
|
||||
Date: Wed, 25 Mar 2020 17:44:51 +1100
|
||||
Subject: [PATCH] Check that a 'BADTIME' response with 'QR=0' is handled as a
|
||||
request
|
||||
|
||||
(cherry picked from commit 67ba3f8f3ab2a748dff1e8a2029fde3bc84ec3f1)
|
||||
---
|
||||
bin/tests/system/tsig/badtime | 37 ++++++++++++++++++++++++++++++++++
|
||||
bin/tests/system/tsig/tests.sh | 9 +++++++++
|
||||
2 files changed, 46 insertions(+)
|
||||
create mode 100644 bin/tests/system/tsig/badtime
|
||||
|
||||
diff --git a/bin/tests/system/tsig/badtime b/bin/tests/system/tsig/badtime
|
||||
new file mode 100644
|
||||
index 0000000000..7926404cfb
|
||||
--- /dev/null
|
||||
+++ b/bin/tests/system/tsig/badtime
|
||||
@@ -0,0 +1,37 @@
|
||||
+# Transaction ID
|
||||
+1122
|
||||
+# Standard query
|
||||
+0000
|
||||
+# Questions: 1, Additional: 1
|
||||
+0001 0000 0000 0001
|
||||
+# QNAME: isc.org
|
||||
+03 69 73 63 03 6F 72 67 00
|
||||
+# Type: A (Host Address)
|
||||
+0001
|
||||
+# Class: IN
|
||||
+0001
|
||||
+# Specially crafted TSIG Resource Record
|
||||
+# Name: "sha256"
|
||||
+06 73 68 61 32 35 36 00
|
||||
+# Type: TSIG (Transaction Signature)
|
||||
+00fa
|
||||
+# Class: ANY
|
||||
+00ff
|
||||
+# TTL: 0
|
||||
+00000000
|
||||
+# RdLen: 29
|
||||
+001d
|
||||
+# Algorithm Name: hmac-sha256
|
||||
+0b 68 6D 61 63 2D 73 68 61 32 35 36 00
|
||||
+# Time Signed: Jan 1, 1970 01:00:00.000000000 CET
|
||||
+00 00 00 00 00 00
|
||||
+# Fudge: 300
|
||||
+012c
|
||||
+# MAC Size: 0; MAC: empty
|
||||
+0000
|
||||
+# Original ID: 0
|
||||
+0000
|
||||
+# Error: BADSIG
|
||||
+0010
|
||||
+# Other Data Length: 0
|
||||
+0000
|
||||
diff --git a/bin/tests/system/tsig/tests.sh b/bin/tests/system/tsig/tests.sh
|
||||
index cade35bc1d..284aea1056 100644
|
||||
--- a/bin/tests/system/tsig/tests.sh
|
||||
+++ b/bin/tests/system/tsig/tests.sh
|
||||
@@ -233,5 +233,14 @@ if [ $ret -eq 1 ] ; then
|
||||
echo "I: failed"; status=1
|
||||
fi
|
||||
|
||||
+echo_i "check that a 'BADTIME' response with 'QR=0' is handled as a request"
|
||||
+ret=0
|
||||
+$PERL ../packet.pl -a 10.53.0.1 -p ${PORT} -t tcp < badtime > /dev/null
|
||||
+$DIG -p ${PORT} @10.53.0.1 version.bind txt ch > dig.out.verify || ret=1
|
||||
+grep "status: NOERROR" dig.out.verify > /dev/null || ret=1
|
||||
+if [ $ret -eq 1 ] ; then
|
||||
+ echo_i "failed"; status=1
|
||||
+fi
|
||||
+
|
||||
echo_i "exit status: $status"
|
||||
[ $status -eq 0 ] || exit 1
|
||||
--
|
||||
2.21.1
|
||||
|
57
SOURCES/bind-9.11-CVE-2020-8622.patch
Normal file
57
SOURCES/bind-9.11-CVE-2020-8622.patch
Normal file
@ -0,0 +1,57 @@
|
||||
From c5a9fd85a19a63f88a5f17c7e6d074ee22364093 Mon Sep 17 00:00:00 2001
|
||||
From: Petr Mensik <pemensik@redhat.com>
|
||||
Date: Tue, 18 Aug 2020 10:53:33 +0200
|
||||
Subject: [PATCH] Fix CVE-2020-8622
|
||||
|
||||
5476. [security] It was possible to trigger an assertion failure when
|
||||
verifying the response to a TSIG-signed request.
|
||||
(CVE-2020-8622) [GL #2028]
|
||||
---
|
||||
lib/dns/message.c | 24 +++++++++++++-----------
|
||||
1 file changed, 13 insertions(+), 11 deletions(-)
|
||||
|
||||
diff --git a/lib/dns/message.c b/lib/dns/message.c
|
||||
index d9e341a..7c813a5 100644
|
||||
--- a/lib/dns/message.c
|
||||
+++ b/lib/dns/message.c
|
||||
@@ -1712,6 +1712,19 @@ dns_message_parse(dns_message_t *msg, isc_buffer_t *source,
|
||||
msg->header_ok = 0;
|
||||
msg->question_ok = 0;
|
||||
|
||||
+ if ((options & DNS_MESSAGEPARSE_CLONEBUFFER) == 0) {
|
||||
+ isc_buffer_usedregion(&origsource, &msg->saved);
|
||||
+ } else {
|
||||
+ msg->saved.length = isc_buffer_usedlength(&origsource);
|
||||
+ msg->saved.base = isc_mem_get(msg->mctx, msg->saved.length);
|
||||
+ if (msg->saved.base == NULL) {
|
||||
+ return (ISC_R_NOMEMORY);
|
||||
+ }
|
||||
+ memmove(msg->saved.base, isc_buffer_base(&origsource),
|
||||
+ msg->saved.length);
|
||||
+ msg->free_saved = 1;
|
||||
+ }
|
||||
+
|
||||
isc_buffer_remainingregion(source, &r);
|
||||
if (r.length < DNS_MESSAGE_HEADERLEN)
|
||||
return (ISC_R_UNEXPECTEDEND);
|
||||
@@ -1787,17 +1800,6 @@ dns_message_parse(dns_message_t *msg, isc_buffer_t *source,
|
||||
}
|
||||
|
||||
truncated:
|
||||
- if ((options & DNS_MESSAGEPARSE_CLONEBUFFER) == 0)
|
||||
- isc_buffer_usedregion(&origsource, &msg->saved);
|
||||
- else {
|
||||
- msg->saved.length = isc_buffer_usedlength(&origsource);
|
||||
- msg->saved.base = isc_mem_get(msg->mctx, msg->saved.length);
|
||||
- if (msg->saved.base == NULL)
|
||||
- return (ISC_R_NOMEMORY);
|
||||
- memmove(msg->saved.base, isc_buffer_base(&origsource),
|
||||
- msg->saved.length);
|
||||
- msg->free_saved = 1;
|
||||
- }
|
||||
|
||||
if (ret == ISC_R_UNEXPECTEDEND && ignore_tc)
|
||||
return (DNS_R_RECOVERABLE);
|
||||
--
|
||||
2.26.2
|
||||
|
400
SOURCES/bind-9.11-CVE-2020-8623.patch
Normal file
400
SOURCES/bind-9.11-CVE-2020-8623.patch
Normal file
@ -0,0 +1,400 @@
|
||||
From e8b7be1e1ff3e11bc8d592c3c8d6a0f0d69e9947 Mon Sep 17 00:00:00 2001
|
||||
From: Petr Mensik <pemensik@redhat.com>
|
||||
Date: Tue, 18 Aug 2020 10:54:39 +0200
|
||||
Subject: [PATCH] Fix CVE-2020-8623
|
||||
|
||||
5480. [security] When BIND 9 was compiled with native PKCS#11 support, it
|
||||
was possible to trigger an assertion failure in code
|
||||
determining the number of bits in the PKCS#11 RSA public
|
||||
key with a specially crafted packet. (CVE-2020-8623)
|
||||
[GL #2037]
|
||||
---
|
||||
lib/dns/pkcs11dh_link.c | 15 ++++++-
|
||||
lib/dns/pkcs11dsa_link.c | 8 +++-
|
||||
lib/dns/pkcs11rsa_link.c | 79 +++++++++++++++++++++++++--------
|
||||
lib/isc/include/pk11/internal.h | 3 +-
|
||||
lib/isc/pk11.c | 61 ++++++++++++++++---------
|
||||
5 files changed, 121 insertions(+), 45 deletions(-)
|
||||
|
||||
diff --git a/lib/dns/pkcs11dh_link.c b/lib/dns/pkcs11dh_link.c
|
||||
index e2b60ea..4cd8e32 100644
|
||||
--- a/lib/dns/pkcs11dh_link.c
|
||||
+++ b/lib/dns/pkcs11dh_link.c
|
||||
@@ -748,6 +748,7 @@ pkcs11dh_fromdns(dst_key_t *key, isc_buffer_t *data) {
|
||||
CK_BYTE *prime = NULL, *base = NULL, *pub = NULL;
|
||||
CK_ATTRIBUTE *attr;
|
||||
int special = 0;
|
||||
+ unsigned int bits;
|
||||
isc_result_t result;
|
||||
|
||||
isc_buffer_remainingregion(data, &r);
|
||||
@@ -852,7 +853,11 @@ pkcs11dh_fromdns(dst_key_t *key, isc_buffer_t *data) {
|
||||
pub = r.base;
|
||||
isc_region_consume(&r, publen);
|
||||
|
||||
- key->key_size = pk11_numbits(prime, plen_);
|
||||
+ result = pk11_numbits(prime, plen_, &bits);
|
||||
+ if (result != ISC_R_SUCCESS) {
|
||||
+ goto cleanup;
|
||||
+ }
|
||||
+ key->key_size = bits;
|
||||
|
||||
dh->repr = (CK_ATTRIBUTE *) isc_mem_get(key->mctx, sizeof(*attr) * 3);
|
||||
if (dh->repr == NULL)
|
||||
@@ -1012,6 +1017,7 @@ pkcs11dh_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
|
||||
dst_private_t priv;
|
||||
isc_result_t ret;
|
||||
int i;
|
||||
+ unsigned int bits;
|
||||
pk11_object_t *dh = NULL;
|
||||
CK_ATTRIBUTE *attr;
|
||||
isc_mem_t *mctx;
|
||||
@@ -1082,7 +1088,12 @@ pkcs11dh_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
|
||||
|
||||
attr = pk11_attribute_bytype(dh, CKA_PRIME);
|
||||
INSIST(attr != NULL);
|
||||
- key->key_size = pk11_numbits(attr->pValue, attr->ulValueLen);
|
||||
+
|
||||
+ ret = pk11_numbits(attr->pValue, attr->ulValueLen, &bits);
|
||||
+ if (ret != ISC_R_SUCCESS) {
|
||||
+ goto err;
|
||||
+ }
|
||||
+ key->key_size = bits;
|
||||
|
||||
return (ISC_R_SUCCESS);
|
||||
|
||||
diff --git a/lib/dns/pkcs11dsa_link.c b/lib/dns/pkcs11dsa_link.c
|
||||
index 12d707a..24d4c14 100644
|
||||
--- a/lib/dns/pkcs11dsa_link.c
|
||||
+++ b/lib/dns/pkcs11dsa_link.c
|
||||
@@ -983,6 +983,7 @@ pkcs11dsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
|
||||
dst_private_t priv;
|
||||
isc_result_t ret;
|
||||
int i;
|
||||
+ unsigned int bits;
|
||||
pk11_object_t *dsa = NULL;
|
||||
CK_ATTRIBUTE *attr;
|
||||
isc_mem_t *mctx = key->mctx;
|
||||
@@ -1072,7 +1073,12 @@ pkcs11dsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
|
||||
|
||||
attr = pk11_attribute_bytype(dsa, CKA_PRIME);
|
||||
INSIST(attr != NULL);
|
||||
- key->key_size = pk11_numbits(attr->pValue, attr->ulValueLen);
|
||||
+
|
||||
+ ret = pk11_numbits(attr->pValue, attr->ulValueLen, &bits);
|
||||
+ if (ret != ISC_R_SUCCESS) {
|
||||
+ goto err;
|
||||
+ }
|
||||
+ key->key_size = bits;
|
||||
|
||||
return (ISC_R_SUCCESS);
|
||||
|
||||
diff --git a/lib/dns/pkcs11rsa_link.c b/lib/dns/pkcs11rsa_link.c
|
||||
index 6c280bf..86e136a 100644
|
||||
--- a/lib/dns/pkcs11rsa_link.c
|
||||
+++ b/lib/dns/pkcs11rsa_link.c
|
||||
@@ -337,6 +337,7 @@ pkcs11rsa_createctx_verify(dst_key_t *key, unsigned int maxbits,
|
||||
key->key_alg == DST_ALG_RSASHA256 ||
|
||||
key->key_alg == DST_ALG_RSASHA512);
|
||||
#endif
|
||||
+ REQUIRE(maxbits <= RSA_MAX_PUBEXP_BITS);
|
||||
|
||||
/*
|
||||
* Reject incorrect RSA key lengths.
|
||||
@@ -381,6 +382,7 @@ pkcs11rsa_createctx_verify(dst_key_t *key, unsigned int maxbits,
|
||||
for (attr = pk11_attribute_first(rsa);
|
||||
attr != NULL;
|
||||
attr = pk11_attribute_next(rsa, attr))
|
||||
+ {
|
||||
switch (attr->type) {
|
||||
case CKA_MODULUS:
|
||||
INSIST(keyTemplate[5].type == attr->type);
|
||||
@@ -401,12 +403,16 @@ pkcs11rsa_createctx_verify(dst_key_t *key, unsigned int maxbits,
|
||||
memmove(keyTemplate[6].pValue, attr->pValue,
|
||||
attr->ulValueLen);
|
||||
keyTemplate[6].ulValueLen = attr->ulValueLen;
|
||||
- if (pk11_numbits(attr->pValue,
|
||||
- attr->ulValueLen) > maxbits &&
|
||||
- maxbits != 0)
|
||||
+ unsigned int bits;
|
||||
+ ret = pk11_numbits(attr->pValue, attr->ulValueLen,
|
||||
+ &bits);
|
||||
+ if (ret != ISC_R_SUCCESS ||
|
||||
+ (bits > maxbits && maxbits != 0)) {
|
||||
DST_RET(DST_R_VERIFYFAILURE);
|
||||
+ }
|
||||
break;
|
||||
}
|
||||
+ }
|
||||
pk11_ctx->object = CK_INVALID_HANDLE;
|
||||
pk11_ctx->ontoken = false;
|
||||
PK11_RET(pkcs_C_CreateObject,
|
||||
@@ -1086,6 +1092,7 @@ pkcs11rsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
|
||||
keyTemplate[5].ulValueLen = attr->ulValueLen;
|
||||
break;
|
||||
case CKA_PUBLIC_EXPONENT:
|
||||
+ unsigned int bits;
|
||||
INSIST(keyTemplate[6].type == attr->type);
|
||||
keyTemplate[6].pValue = isc_mem_get(dctx->mctx,
|
||||
attr->ulValueLen);
|
||||
@@ -1094,10 +1101,12 @@ pkcs11rsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
|
||||
memmove(keyTemplate[6].pValue, attr->pValue,
|
||||
attr->ulValueLen);
|
||||
keyTemplate[6].ulValueLen = attr->ulValueLen;
|
||||
- if (pk11_numbits(attr->pValue,
|
||||
- attr->ulValueLen)
|
||||
- > RSA_MAX_PUBEXP_BITS)
|
||||
+ ret = pk11_numbits(attr->pValue, attr->ulValueLen,
|
||||
+ &bits);
|
||||
+ if (ret != ISC_R_SUCCESS || bits > RSA_MAX_PUBEXP_BITS)
|
||||
+ {
|
||||
DST_RET(DST_R_VERIFYFAILURE);
|
||||
+ }
|
||||
break;
|
||||
}
|
||||
pk11_ctx->object = CK_INVALID_HANDLE;
|
||||
@@ -1475,6 +1484,8 @@ pkcs11rsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
|
||||
CK_BYTE *exponent = NULL, *modulus = NULL;
|
||||
CK_ATTRIBUTE *attr;
|
||||
unsigned int length;
|
||||
+ unsigned int bits;
|
||||
+ isc_result_t ret = ISC_R_SUCCESS;
|
||||
|
||||
isc_buffer_remainingregion(data, &r);
|
||||
if (r.length == 0)
|
||||
@@ -1492,9 +1503,7 @@ pkcs11rsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
|
||||
|
||||
if (e_bytes == 0) {
|
||||
if (r.length < 2) {
|
||||
- isc_safe_memwipe(rsa, sizeof(*rsa));
|
||||
- isc_mem_put(key->mctx, rsa, sizeof(*rsa));
|
||||
- return (DST_R_INVALIDPUBLICKEY);
|
||||
+ DST_RET(DST_R_INVALIDPUBLICKEY);
|
||||
}
|
||||
e_bytes = (*r.base) << 8;
|
||||
isc_region_consume(&r, 1);
|
||||
@@ -1503,16 +1512,18 @@ pkcs11rsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
|
||||
}
|
||||
|
||||
if (r.length < e_bytes) {
|
||||
- isc_safe_memwipe(rsa, sizeof(*rsa));
|
||||
- isc_mem_put(key->mctx, rsa, sizeof(*rsa));
|
||||
- return (DST_R_INVALIDPUBLICKEY);
|
||||
+ DST_RET(DST_R_INVALIDPUBLICKEY);
|
||||
}
|
||||
exponent = r.base;
|
||||
isc_region_consume(&r, e_bytes);
|
||||
modulus = r.base;
|
||||
mod_bytes = r.length;
|
||||
|
||||
- key->key_size = pk11_numbits(modulus, mod_bytes);
|
||||
+ ret = pk11_numbits(modulus, mod_bytes, &bits);
|
||||
+ if (ret != ISC_R_SUCCESS) {
|
||||
+ goto err;
|
||||
+ }
|
||||
+ key->key_size = bits;
|
||||
|
||||
isc_buffer_forward(data, length);
|
||||
|
||||
@@ -1562,9 +1573,12 @@ pkcs11rsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
|
||||
rsa->repr,
|
||||
rsa->attrcnt * sizeof(*attr));
|
||||
}
|
||||
+ ret = ISC_R_NOMEMORY;
|
||||
+
|
||||
+ err:
|
||||
isc_safe_memwipe(rsa, sizeof(*rsa));
|
||||
isc_mem_put(key->mctx, rsa, sizeof(*rsa));
|
||||
- return (ISC_R_NOMEMORY);
|
||||
+ return (ret);
|
||||
}
|
||||
|
||||
static isc_result_t
|
||||
@@ -1743,6 +1757,7 @@ pkcs11rsa_fetch(dst_key_t *key, const char *engine, const char *label,
|
||||
pk11_object_t *pubrsa;
|
||||
pk11_context_t *pk11_ctx = NULL;
|
||||
isc_result_t ret;
|
||||
+ unsigned int bits;
|
||||
|
||||
if (label == NULL)
|
||||
return (DST_R_NOENGINE);
|
||||
@@ -1829,7 +1844,11 @@ pkcs11rsa_fetch(dst_key_t *key, const char *engine, const char *label,
|
||||
|
||||
attr = pk11_attribute_bytype(rsa, CKA_MODULUS);
|
||||
INSIST(attr != NULL);
|
||||
- key->key_size = pk11_numbits(attr->pValue, attr->ulValueLen);
|
||||
+ ret = pk11_numbits(attr->pValue, attr->ulValueLen, &bits);
|
||||
+ if (ret != ISC_R_SUCCESS) {
|
||||
+ goto err;
|
||||
+ }
|
||||
+ key->key_size = bits;
|
||||
|
||||
return (ISC_R_SUCCESS);
|
||||
|
||||
@@ -1915,6 +1934,7 @@ pkcs11rsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
|
||||
CK_ATTRIBUTE *attr;
|
||||
isc_mem_t *mctx = key->mctx;
|
||||
const char *engine = NULL, *label = NULL;
|
||||
+ unsigned int bits;
|
||||
|
||||
/* read private key file */
|
||||
ret = dst__privstruct_parse(key, DST_ALG_RSA, lexer, mctx, &priv);
|
||||
@@ -2058,12 +2078,22 @@ pkcs11rsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
|
||||
|
||||
attr = pk11_attribute_bytype(rsa, CKA_MODULUS);
|
||||
INSIST(attr != NULL);
|
||||
- key->key_size = pk11_numbits(attr->pValue, attr->ulValueLen);
|
||||
+ ret = pk11_numbits(attr->pValue, attr->ulValueLen, &bits);
|
||||
+ if (ret != ISC_R_SUCCESS) {
|
||||
+ goto err;
|
||||
+ }
|
||||
+ key->key_size = bits;
|
||||
|
||||
attr = pk11_attribute_bytype(rsa, CKA_PUBLIC_EXPONENT);
|
||||
INSIST(attr != NULL);
|
||||
- if (pk11_numbits(attr->pValue, attr->ulValueLen) > RSA_MAX_PUBEXP_BITS)
|
||||
+
|
||||
+ ret = pk11_numbits(attr->pValue, attr->ulValueLen, &bits);
|
||||
+ if (ret != ISC_R_SUCCESS) {
|
||||
+ goto err;
|
||||
+ }
|
||||
+ if (bits > RSA_MAX_PUBEXP_BITS) {
|
||||
DST_RET(ISC_R_RANGE);
|
||||
+ }
|
||||
|
||||
dst__privstruct_free(&priv, mctx);
|
||||
isc_safe_memwipe(&priv, sizeof(priv));
|
||||
@@ -2098,6 +2128,7 @@ pkcs11rsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
|
||||
pk11_context_t *pk11_ctx = NULL;
|
||||
isc_result_t ret;
|
||||
unsigned int i;
|
||||
+ unsigned int bits;
|
||||
|
||||
UNUSED(pin);
|
||||
|
||||
@@ -2192,12 +2223,22 @@ pkcs11rsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
|
||||
|
||||
attr = pk11_attribute_bytype(rsa, CKA_PUBLIC_EXPONENT);
|
||||
INSIST(attr != NULL);
|
||||
- if (pk11_numbits(attr->pValue, attr->ulValueLen) > RSA_MAX_PUBEXP_BITS)
|
||||
+
|
||||
+ ret = pk11_numbits(attr->pValue, attr->ulValueLen, &bits);
|
||||
+ if (ret != ISC_R_SUCCESS) {
|
||||
+ goto err;
|
||||
+ }
|
||||
+ if (bits > RSA_MAX_PUBEXP_BITS) {
|
||||
DST_RET(ISC_R_RANGE);
|
||||
+ }
|
||||
|
||||
attr = pk11_attribute_bytype(rsa, CKA_MODULUS);
|
||||
INSIST(attr != NULL);
|
||||
- key->key_size = pk11_numbits(attr->pValue, attr->ulValueLen);
|
||||
+ ret = pk11_numbits(attr->pValue, attr->ulValueLen, &bits);
|
||||
+ if (ret != ISC_R_SUCCESS) {
|
||||
+ goto err;
|
||||
+ }
|
||||
+ key->key_size = bits;
|
||||
|
||||
pk11_return_session(pk11_ctx);
|
||||
isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx));
|
||||
diff --git a/lib/isc/include/pk11/internal.h b/lib/isc/include/pk11/internal.h
|
||||
index 603712a..b9680bc 100644
|
||||
--- a/lib/isc/include/pk11/internal.h
|
||||
+++ b/lib/isc/include/pk11/internal.h
|
||||
@@ -27,7 +27,8 @@ void pk11_mem_put(void *ptr, size_t size);
|
||||
|
||||
CK_SLOT_ID pk11_get_best_token(pk11_optype_t optype);
|
||||
|
||||
-unsigned int pk11_numbits(CK_BYTE_PTR data, unsigned int bytecnt);
|
||||
+isc_result_t
|
||||
+pk11_numbits(CK_BYTE_PTR data, unsigned int bytecnt, unsigned int *bits);
|
||||
|
||||
CK_ATTRIBUTE *pk11_attribute_first(const pk11_object_t *obj);
|
||||
|
||||
diff --git a/lib/isc/pk11.c b/lib/isc/pk11.c
|
||||
index 4b85527..9c450da 100644
|
||||
--- a/lib/isc/pk11.c
|
||||
+++ b/lib/isc/pk11.c
|
||||
@@ -982,13 +982,15 @@ pk11_get_best_token(pk11_optype_t optype) {
|
||||
return (token->slotid);
|
||||
}
|
||||
|
||||
-unsigned int
|
||||
-pk11_numbits(CK_BYTE_PTR data, unsigned int bytecnt) {
|
||||
+isc_result_t
|
||||
+pk11_numbits(CK_BYTE_PTR data, unsigned int bytecnt, unsigned int *bits) {
|
||||
unsigned int bitcnt, i;
|
||||
CK_BYTE top;
|
||||
|
||||
- if (bytecnt == 0)
|
||||
- return (0);
|
||||
+ if (bytecnt == 0) {
|
||||
+ *bits = 0;
|
||||
+ return (ISC_R_SUCCESS);
|
||||
+ }
|
||||
bitcnt = bytecnt * 8;
|
||||
for (i = 0; i < bytecnt; i++) {
|
||||
top = data[i];
|
||||
@@ -996,26 +998,41 @@ pk11_numbits(CK_BYTE_PTR data, unsigned int bytecnt) {
|
||||
bitcnt -= 8;
|
||||
continue;
|
||||
}
|
||||
- if (top & 0x80)
|
||||
- return (bitcnt);
|
||||
- if (top & 0x40)
|
||||
- return (bitcnt - 1);
|
||||
- if (top & 0x20)
|
||||
- return (bitcnt - 2);
|
||||
- if (top & 0x10)
|
||||
- return (bitcnt - 3);
|
||||
- if (top & 0x08)
|
||||
- return (bitcnt - 4);
|
||||
- if (top & 0x04)
|
||||
- return (bitcnt - 5);
|
||||
- if (top & 0x02)
|
||||
- return (bitcnt - 6);
|
||||
- if (top & 0x01)
|
||||
- return (bitcnt - 7);
|
||||
+ if (top & 0x80) {
|
||||
+ *bits = bitcnt;
|
||||
+ return (ISC_R_SUCCESS);
|
||||
+ }
|
||||
+ if (top & 0x40) {
|
||||
+ *bits = bitcnt - 1;
|
||||
+ return (ISC_R_SUCCESS);
|
||||
+ }
|
||||
+ if (top & 0x20) {
|
||||
+ *bits = bitcnt - 2;
|
||||
+ return (ISC_R_SUCCESS);
|
||||
+ }
|
||||
+ if (top & 0x10) {
|
||||
+ *bits = bitcnt - 3;
|
||||
+ return (ISC_R_SUCCESS);
|
||||
+ }
|
||||
+ if (top & 0x08) {
|
||||
+ *bits = bitcnt - 4;
|
||||
+ return (ISC_R_SUCCESS);
|
||||
+ }
|
||||
+ if (top & 0x04) {
|
||||
+ *bits = bitcnt - 5;
|
||||
+ return (ISC_R_SUCCESS);
|
||||
+ }
|
||||
+ if (top & 0x02) {
|
||||
+ *bits = bitcnt - 6;
|
||||
+ return (ISC_R_SUCCESS);
|
||||
+ }
|
||||
+ if (top & 0x01) {
|
||||
+ *bits = bitcnt - 7;
|
||||
+ return (ISC_R_SUCCESS);
|
||||
+ }
|
||||
break;
|
||||
}
|
||||
- INSIST(0);
|
||||
- ISC_UNREACHABLE();
|
||||
+ return (ISC_R_RANGE);
|
||||
}
|
||||
|
||||
CK_ATTRIBUTE *
|
||||
--
|
||||
2.26.2
|
||||
|
152
SOURCES/bind-9.11-CVE-2020-8624-test.patch
Normal file
152
SOURCES/bind-9.11-CVE-2020-8624-test.patch
Normal file
@ -0,0 +1,152 @@
|
||||
From 221fb11e658e7dea1be6dbfd25e149f2d131e4fb Mon Sep 17 00:00:00 2001
|
||||
From: Mark Andrews <marka@isc.org>
|
||||
Date: Wed, 29 Jul 2020 23:36:03 +1000
|
||||
Subject: [PATCH] Add a test for update-policy 'subdomain'
|
||||
|
||||
The new test checks that 'update-policy subdomain' is properly enforced.
|
||||
|
||||
(cherry picked from commit 393e8f643c02215fa4e6d4edf67be7d77085da0e)
|
||||
|
||||
Add a test for update-policy 'zonesub'
|
||||
|
||||
The new test checks that 'update-policy zonesub' is properly enforced.
|
||||
|
||||
(cherry picked from commit 58e560beb50873c699f3431cf57e215dc645d7aa)
|
||||
---
|
||||
bin/tests/system/nsupdate/ns1/named.conf.in | 12 +++++
|
||||
bin/tests/system/nsupdate/tests.sh | 60 +++++++++++++++++++--
|
||||
2 files changed, 68 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/bin/tests/system/nsupdate/ns1/named.conf.in b/bin/tests/system/nsupdate/ns1/named.conf.in
|
||||
index 26b6b7c9ab..540a984842 100644
|
||||
--- a/bin/tests/system/nsupdate/ns1/named.conf.in
|
||||
+++ b/bin/tests/system/nsupdate/ns1/named.conf.in
|
||||
@@ -36,6 +36,16 @@ key altkey {
|
||||
secret "1234abcd8765";
|
||||
};
|
||||
|
||||
+key restricted.example.nil {
|
||||
+ algorithm hmac-md5;
|
||||
+ secret "1234abcd8765";
|
||||
+};
|
||||
+
|
||||
+key zonesub-key.example.nil {
|
||||
+ algorithm hmac-md5;
|
||||
+ secret "1234subk8765";
|
||||
+};
|
||||
+
|
||||
include "ddns.key";
|
||||
|
||||
zone "example.nil" {
|
||||
@@ -44,7 +54,9 @@ zone "example.nil" {
|
||||
check-integrity no;
|
||||
check-mx ignore;
|
||||
update-policy {
|
||||
+ grant zonesub-key.example.nil zonesub TXT;
|
||||
grant ddns-key.example.nil subdomain example.nil ANY;
|
||||
+ grant restricted.example.nil subdomain restricted.example.nil ANY;
|
||||
};
|
||||
allow-transfer { any; };
|
||||
};
|
||||
diff --git a/bin/tests/system/nsupdate/tests.sh b/bin/tests/system/nsupdate/tests.sh
|
||||
index b08c5220e7..5f09e8c5bf 100755
|
||||
--- a/bin/tests/system/nsupdate/tests.sh
|
||||
+++ b/bin/tests/system/nsupdate/tests.sh
|
||||
@@ -428,7 +428,7 @@ EOF
|
||||
# this also proves that the server is still running.
|
||||
$DIG $DIGOPTS +tcp +noadd +nosea +nostat +noquest +nocmd +norec example.\
|
||||
@10.53.0.3 nsec3param > dig.out.ns3.$n || ret=1
|
||||
-grep "ANSWER: 0" dig.out.ns3.$n > /dev/null || ret=1
|
||||
+grep "ANSWER: 0," dig.out.ns3.$n > /dev/null || ret=1
|
||||
grep "flags:[^;]* aa[ ;]" dig.out.ns3.$n > /dev/null || ret=1
|
||||
[ $ret = 0 ] || { echo_i "failed"; status=1; }
|
||||
|
||||
@@ -443,7 +443,7 @@ EOF
|
||||
|
||||
$DIG $DIGOPTS +tcp +noadd +nosea +nostat +noquest +nocmd +norec nsec3param.test.\
|
||||
@10.53.0.3 nsec3param > dig.out.ns3.$n || ret=1
|
||||
-grep "ANSWER: 1" dig.out.ns3.$n > /dev/null || ret=1
|
||||
+grep "ANSWER: 1," dig.out.ns3.$n > /dev/null || ret=1
|
||||
grep "3600.*NSEC3PARAM" dig.out.ns3.$n > /dev/null || ret=1
|
||||
grep "flags:[^;]* aa[ ;]" dig.out.ns3.$n > /dev/null || ret=1
|
||||
[ $ret = 0 ] || { echo_i "failed"; status=1; }
|
||||
@@ -460,7 +460,7 @@ EOF
|
||||
_ret=1
|
||||
for i in 0 1 2 3 4 5 6 7 8 9; do
|
||||
$DIG $DIGOPTS +tcp +norec +time=1 +tries=1 @10.53.0.3 nsec3param.test. NSEC3PARAM > dig.out.ns3.$n || _ret=1
|
||||
- if grep "ANSWER: 2" dig.out.ns3.$n > /dev/null; then
|
||||
+ if grep "ANSWER: 2," dig.out.ns3.$n > /dev/null; then
|
||||
_ret=0
|
||||
break
|
||||
fi
|
||||
@@ -485,7 +485,7 @@ EOF
|
||||
_ret=1
|
||||
for i in 0 1 2 3 4 5 6 7 8 9; do
|
||||
$DIG $DIGOPTS +tcp +norec +time=1 +tries=1 @10.53.0.3 nsec3param.test. NSEC3PARAM > dig.out.ns3.$n || _ret=1
|
||||
- if grep "ANSWER: 1" dig.out.ns3.$n > /dev/null; then
|
||||
+ if grep "ANSWER: 1," dig.out.ns3.$n > /dev/null; then
|
||||
_ret=0
|
||||
break
|
||||
fi
|
||||
@@ -631,6 +631,58 @@ then
|
||||
echo_i "failed"; status=1
|
||||
fi
|
||||
|
||||
+n=`expr $n + 1`
|
||||
+ret=0
|
||||
+echo_i "check that 'update-policy subdomain' is properly enforced ($n)"
|
||||
+# "restricted.example.nil" matches "grant ... subdomain restricted.example.nil"
|
||||
+# and thus this UPDATE should succeed.
|
||||
+$NSUPDATE -d <<END > nsupdate.out1-$n 2>&1 || ret=1
|
||||
+server 10.53.0.1 ${PORT}
|
||||
+key restricted.example.nil 1234abcd8765
|
||||
+update add restricted.example.nil 0 IN TXT everywhere.
|
||||
+send
|
||||
+END
|
||||
+$DIG $DIGOPTS +tcp @10.53.0.1 restricted.example.nil TXT > dig.out.1.test$n || ret=1
|
||||
+grep "TXT.*everywhere" dig.out.1.test$n > /dev/null || ret=1
|
||||
+# "example.nil" does not match "grant ... subdomain restricted.example.nil" and
|
||||
+# thus this UPDATE should fail.
|
||||
+$NSUPDATE -d <<END > nsupdate.out2-$n 2>&1 && ret=1
|
||||
+server 10.53.0.1 ${PORT}
|
||||
+key restricted.example.nil 1234abcd8765
|
||||
+update add example.nil 0 IN TXT everywhere.
|
||||
+send
|
||||
+END
|
||||
+$DIG $DIGOPTS +tcp @10.53.0.1 example.nil TXT > dig.out.2.test$n || ret=1
|
||||
+grep "TXT.*everywhere" dig.out.2.test$n > /dev/null && ret=1
|
||||
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
|
||||
+
|
||||
+n=`expr $n + 1`
|
||||
+ret=0
|
||||
+echo_i "check that 'update-policy zonesub' is properly enforced ($n)"
|
||||
+# grant zonesub-key.example.nil zonesub TXT;
|
||||
+# the A record update should be rejected as it is not in the type list
|
||||
+$NSUPDATE -d <<END > nsupdate.out1-$n 2>&1 && ret=1
|
||||
+server 10.53.0.1 ${PORT}
|
||||
+key zonesub-key.example.nil 1234subk8765
|
||||
+update add zonesub.example.nil 0 IN A 1.2.3.4
|
||||
+send
|
||||
+END
|
||||
+$DIG $DIGOPTS +tcp @10.53.0.1 zonesub.example.nil A > dig.out.1.test$n || ret=1
|
||||
+grep "status: REFUSED" nsupdate.out1-$n > /dev/null || ret=1
|
||||
+grep "ANSWER: 0," dig.out.1.test$n > /dev/null || ret=1
|
||||
+# the TXT record update should be accepted as it is in the type list
|
||||
+$NSUPDATE -d <<END > nsupdate.out2-$n 2>&1 || ret=1
|
||||
+server 10.53.0.1 ${PORT}
|
||||
+key zonesub-key.example.nil 1234subk8765
|
||||
+update add zonesub.example.nil 0 IN TXT everywhere.
|
||||
+send
|
||||
+END
|
||||
+$DIG $DIGOPTS +tcp @10.53.0.1 zonesub.example.nil TXT > dig.out.2.test$n || ret=1
|
||||
+grep "status: REFUSED" nsupdate.out2-$n > /dev/null && ret=1
|
||||
+grep "ANSWER: 1," dig.out.2.test$n > /dev/null || ret=1
|
||||
+grep "TXT.*everywhere" dig.out.2.test$n > /dev/null || ret=1
|
||||
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
|
||||
+
|
||||
n=`expr $n + 1`
|
||||
ret=0
|
||||
echo_i "check that changes to the DNSKEY RRset TTL do not have side effects ($n)"
|
||||
--
|
||||
2.26.2
|
||||
|
32
SOURCES/bind-9.11-CVE-2020-8624.patch
Normal file
32
SOURCES/bind-9.11-CVE-2020-8624.patch
Normal file
@ -0,0 +1,32 @@
|
||||
From e2aae621408c7622d094f13a67b928f911a2793b Mon Sep 17 00:00:00 2001
|
||||
From: Petr Mensik <pemensik@redhat.com>
|
||||
Date: Tue, 18 Aug 2020 10:55:50 +0200
|
||||
Subject: [PATCH] Fix CVE-2020-8624
|
||||
|
||||
5481. [security] "update-policy" rules of type "subdomain" were
|
||||
incorrectly treated as "zonesub" rules, which allowed
|
||||
keys used in "subdomain" rules to update names outside
|
||||
of the specified subdomains. The problem was fixed by
|
||||
making sure "subdomain" rules are again processed as
|
||||
described in the ARM. (CVE-2020-8624) [GL #2055]
|
||||
---
|
||||
bin/named/zoneconf.c | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/bin/named/zoneconf.c b/bin/named/zoneconf.c
|
||||
index 55f191b..b77a07c 100644
|
||||
--- a/bin/named/zoneconf.c
|
||||
+++ b/bin/named/zoneconf.c
|
||||
@@ -239,7 +239,8 @@ configure_zone_ssutable(const cfg_obj_t *zconfig, dns_zone_t *zone,
|
||||
|
||||
str = cfg_obj_asstring(matchtype);
|
||||
CHECK(dns_ssu_mtypefromstring(str, &mtype));
|
||||
- if (mtype == dns_ssumatchtype_subdomain) {
|
||||
+ if (mtype == dns_ssumatchtype_subdomain &&
|
||||
+ strcasecmp(str, "zonesub") == 0) {
|
||||
usezone = true;
|
||||
}
|
||||
|
||||
--
|
||||
2.26.2
|
||||
|
@ -1,35 +0,0 @@
|
||||
diff --git a/export-libs/Makefile b/export-libs/Makefile
|
||||
index df15ea8..13f416b 100644
|
||||
--- a/export-libs/Makefile
|
||||
+++ b/export-libs/Makefile
|
||||
@@ -404,20 +404,18 @@ installdirs:
|
||||
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man1
|
||||
|
||||
install:: isc-config.sh installdirs
|
||||
- ${INSTALL_SCRIPT} isc-config.sh ${DESTDIR}${bindir}
|
||||
- rm -f ${DESTDIR}${bindir}/bind9-config
|
||||
- ln ${DESTDIR}${bindir}/isc-config.sh ${DESTDIR}${bindir}/bind9-config
|
||||
- ${INSTALL_DATA} ${top_srcdir}/isc-config.sh.1 ${DESTDIR}${mandir}/man1
|
||||
- rm -f ${DESTDIR}${mandir}/man1/bind9-config.1
|
||||
- ln ${DESTDIR}${mandir}/man1/isc-config.sh.1 ${DESTDIR}${mandir}/man1/bind9-config.1
|
||||
- ${INSTALL_DATA} ${top_srcdir}/bind.keys ${DESTDIR}${sysconfdir}
|
||||
+ ${INSTALL_SCRIPT} isc-config.sh ${DESTDIR}${bindir}/isc-export-config.sh
|
||||
+ rm -f ${DESTDIR}${bindir}/bind9-export-config
|
||||
+ ln ${DESTDIR}${bindir}/isc-export-config.sh ${DESTDIR}${bindir}/bind9-export-config
|
||||
+ ${INSTALL_DATA} ${top_srcdir}/isc-config.sh.1 ${DESTDIR}${mandir}/man1/isc-export-config.sh.1
|
||||
+ rm -f ${DESTDIR}${mandir}/man1/bind9-export-config.1
|
||||
+ ln ${DESTDIR}${mandir}/man1/isc-export-config.sh.1 ${DESTDIR}${mandir}/man1/bind9-export-config.1
|
||||
|
||||
uninstall::
|
||||
- rm -f ${DESTDIR}${sysconfdir}/bind.keys
|
||||
- rm -f ${DESTDIR}${mandir}/man1/bind9-config.1
|
||||
- rm -f ${DESTDIR}${mandir}/man1/isc-config.sh.1
|
||||
- rm -f ${DESTDIR}${bindir}/bind9-config
|
||||
- rm -f ${DESTDIR}${bindir}/isc-config.sh
|
||||
+ rm -f ${DESTDIR}${mandir}/man1/bind9-export-config.1
|
||||
+ rm -f ${DESTDIR}${mandir}/man1/isc-export-config.sh.1
|
||||
+ rm -f ${DESTDIR}${bindir}/bind9-export-config
|
||||
+ rm -f ${DESTDIR}${bindir}/isc-export-config.sh
|
||||
|
||||
tags:
|
||||
rm -f TAGS
|
@ -1,4 +1,4 @@
|
||||
From eb38d2278937ec3fe45d0af30cd080953bbb5b54 Mon Sep 17 00:00:00 2001
|
||||
From a9b5785f174cf7fd74891fa64f6b69b9a9b55466 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
|
||||
Date: Tue, 2 Jan 2018 18:13:07 +0100
|
||||
Subject: [PATCH] Fix pkcs11 variants atf tests
|
||||
@ -16,10 +16,10 @@ Add pkcs11 Kyuafile, fix dh_test to pass in pkcs11 mode
|
||||
6 files changed, 38 insertions(+), 16 deletions(-)
|
||||
|
||||
diff --git a/configure.ac b/configure.ac
|
||||
index 0532feb..a83ddd5 100644
|
||||
index 62ecf56..0940a7d 100644
|
||||
--- a/configure.ac
|
||||
+++ b/configure.ac
|
||||
@@ -5578,6 +5578,7 @@ AC_CONFIG_FILES([
|
||||
@@ -5476,6 +5476,7 @@ AC_CONFIG_FILES([
|
||||
lib/dns-pkcs11/include/Makefile
|
||||
lib/dns-pkcs11/include/dns/Makefile
|
||||
lib/dns-pkcs11/include/dst/Makefile
|
||||
@ -43,13 +43,13 @@ index 7c8bab0..eec9564 100644
|
||||
include('isccfg/Kyuafile')
|
||||
include('lwres/Kyuafile')
|
||||
diff --git a/lib/dns-pkcs11/tests/Makefile.in b/lib/dns-pkcs11/tests/Makefile.in
|
||||
index 7671e1d..e237d5c 100644
|
||||
index 22a06a8..5df5b15 100644
|
||||
--- a/lib/dns-pkcs11/tests/Makefile.in
|
||||
+++ b/lib/dns-pkcs11/tests/Makefile.in
|
||||
@@ -17,12 +17,12 @@ VERSION=@BIND9_VERSION@
|
||||
|
||||
CINCLUDES = -I. -Iinclude ${DNS_INCLUDES} ${ISC_INCLUDES} \
|
||||
@DST_OPENSSL_INC@
|
||||
@DST_OPENSSL_INC@ ${MAXMINDDB_CFLAGS}
|
||||
-CDEFINES = @CRYPTO@ -DTESTS="\"${top_builddir}/lib/dns/tests/\""
|
||||
+CDEFINES = @CRYPTO_PK11@ -DTESTS="\"${top_builddir}/lib/dns-pkcs11/tests/\""
|
||||
|
||||
@ -65,10 +65,10 @@ index 7671e1d..e237d5c 100644
|
||||
LIBS = @LIBS@ @CMOCKA_LIBS@
|
||||
CFLAGS = @CFLAGS@ @CMOCKA_CFLAGS@
|
||||
diff --git a/lib/dns-pkcs11/tests/dh_test.c b/lib/dns-pkcs11/tests/dh_test.c
|
||||
index 4dbfd82..a383b8e 100644
|
||||
index a5bf46c..9ff2b76 100644
|
||||
--- a/lib/dns-pkcs11/tests/dh_test.c
|
||||
+++ b/lib/dns-pkcs11/tests/dh_test.c
|
||||
@@ -86,7 +86,8 @@ dh_computesecret(void **state) {
|
||||
@@ -88,7 +88,8 @@ dh_computesecret(void **state) {
|
||||
result = dst_key_computesecret(key, key, &buf);
|
||||
assert_int_equal(result, DST_R_NOTPRIVATEKEY);
|
||||
result = key->func->computesecret(key, key, &buf);
|
||||
@ -79,7 +79,7 @@ index 4dbfd82..a383b8e 100644
|
||||
dst_key_free(&key);
|
||||
}
|
||||
diff --git a/lib/isc-pkcs11/tests/Makefile.in b/lib/isc-pkcs11/tests/Makefile.in
|
||||
index 2fdee0b..a263b35 100644
|
||||
index 36d2207..00dfbc9 100644
|
||||
--- a/lib/isc-pkcs11/tests/Makefile.in
|
||||
+++ b/lib/isc-pkcs11/tests/Makefile.in
|
||||
@@ -16,10 +16,10 @@ VERSION=@BIND9_VERSION@
|
||||
@ -97,10 +97,10 @@ index 2fdee0b..a263b35 100644
|
||||
LIBS = @LIBS@ @CMOCKA_LIBS@
|
||||
CFLAGS = @CFLAGS@ @CMOCKA_CFLAGS@
|
||||
diff --git a/lib/isc-pkcs11/tests/hash_test.c b/lib/isc-pkcs11/tests/hash_test.c
|
||||
index 9c4d299..d9deba2 100644
|
||||
index 4fafc38..5eb2be2 100644
|
||||
--- a/lib/isc-pkcs11/tests/hash_test.c
|
||||
+++ b/lib/isc-pkcs11/tests/hash_test.c
|
||||
@@ -85,7 +85,7 @@ typedef struct hash_testcase {
|
||||
@@ -84,7 +84,7 @@ typedef struct hash_testcase {
|
||||
|
||||
typedef struct hash_test_key {
|
||||
const char *key;
|
||||
@ -109,7 +109,7 @@ index 9c4d299..d9deba2 100644
|
||||
} hash_test_key_t;
|
||||
|
||||
/* non-hmac tests */
|
||||
@@ -956,8 +956,11 @@ isc_hmacsha1_test(void **state) {
|
||||
@@ -955,8 +955,11 @@ isc_hmacsha1_test(void **state) {
|
||||
hash_test_key_t *test_key = test_keys;
|
||||
|
||||
while (testcase->input != NULL && testcase->result != NULL) {
|
||||
@ -122,7 +122,7 @@ index 9c4d299..d9deba2 100644
|
||||
isc_hmacsha1_update(&hmacsha1,
|
||||
(const uint8_t *) testcase->input,
|
||||
testcase->input_len);
|
||||
@@ -1116,8 +1119,11 @@ isc_hmacsha224_test(void **state) {
|
||||
@@ -1115,8 +1118,11 @@ isc_hmacsha224_test(void **state) {
|
||||
hash_test_key_t *test_key = test_keys;
|
||||
|
||||
while (testcase->input != NULL && testcase->result != NULL) {
|
||||
@ -135,7 +135,7 @@ index 9c4d299..d9deba2 100644
|
||||
isc_hmacsha224_update(&hmacsha224,
|
||||
(const uint8_t *) testcase->input,
|
||||
testcase->input_len);
|
||||
@@ -1277,8 +1283,11 @@ isc_hmacsha256_test(void **state) {
|
||||
@@ -1276,8 +1282,11 @@ isc_hmacsha256_test(void **state) {
|
||||
hash_test_key_t *test_key = test_keys;
|
||||
|
||||
while (testcase->input != NULL && testcase->result != NULL) {
|
||||
@ -148,7 +148,7 @@ index 9c4d299..d9deba2 100644
|
||||
isc_hmacsha256_update(&hmacsha256,
|
||||
(const uint8_t *) testcase->input,
|
||||
testcase->input_len);
|
||||
@@ -1444,8 +1453,11 @@ isc_hmacsha384_test(void **state) {
|
||||
@@ -1443,8 +1452,11 @@ isc_hmacsha384_test(void **state) {
|
||||
hash_test_key_t *test_key = test_keys;
|
||||
|
||||
while (testcase->input != NULL && testcase->result != NULL) {
|
||||
@ -161,7 +161,7 @@ index 9c4d299..d9deba2 100644
|
||||
isc_hmacsha384_update(&hmacsha384,
|
||||
(const uint8_t *) testcase->input,
|
||||
testcase->input_len);
|
||||
@@ -1611,8 +1623,11 @@ isc_hmacsha512_test(void **state) {
|
||||
@@ -1610,8 +1622,11 @@ isc_hmacsha512_test(void **state) {
|
||||
hash_test_key_t *test_key = test_keys;
|
||||
|
||||
while (testcase->input != NULL && testcase->result != NULL) {
|
||||
@ -174,7 +174,7 @@ index 9c4d299..d9deba2 100644
|
||||
isc_hmacsha512_update(&hmacsha512,
|
||||
(const uint8_t *) testcase->input,
|
||||
testcase->input_len);
|
||||
@@ -1755,8 +1770,11 @@ isc_hmacmd5_test(void **state) {
|
||||
@@ -1754,8 +1769,11 @@ isc_hmacmd5_test(void **state) {
|
||||
hash_test_key_t *test_key = test_keys;
|
||||
|
||||
while (testcase->input != NULL && testcase->result != NULL) {
|
||||
@ -188,5 +188,5 @@ index 9c4d299..d9deba2 100644
|
||||
(const uint8_t *) testcase->input,
|
||||
testcase->input_len);
|
||||
--
|
||||
2.20.1
|
||||
2.21.1
|
||||
|
||||
|
@ -1,4 +1,4 @@
|
||||
From 76594cba9a1e910bb36160d96fc3872349341799 Mon Sep 17 00:00:00 2001
|
||||
From f27598743ab6e03271e26f23da4beba748d19c60 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@sury.org>
|
||||
Date: Wed, 25 Apr 2018 14:04:31 +0200
|
||||
Subject: [PATCH] Replace isc_safe routines with their OpenSSL counter parts
|
||||
@ -24,10 +24,10 @@ Fix the isc_safe_memwipe() usage with (NULL, >0)
|
||||
delete mode 100644 lib/isc/safe.c
|
||||
|
||||
diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c
|
||||
index 6ddaebe..d921870 100644
|
||||
index 6dded0c..a9c5557 100644
|
||||
--- a/bin/dnssec/dnssec-signzone.c
|
||||
+++ b/bin/dnssec/dnssec-signzone.c
|
||||
@@ -787,7 +787,7 @@ hashlist_add_dns_name(hashlist_t *l, /*const*/ dns_name_t *name,
|
||||
@@ -784,7 +784,7 @@ hashlist_add_dns_name(hashlist_t *l, /*const*/ dns_name_t *name,
|
||||
|
||||
static int
|
||||
hashlist_comp(const void *a, const void *b) {
|
||||
@ -81,7 +81,7 @@ index ad77f24..670982a 100644
|
||||
|
||||
/* accept_sec_context.c */
|
||||
diff --git a/lib/isc/Makefile.in b/lib/isc/Makefile.in
|
||||
index 0fd0837..8ad54bb 100644
|
||||
index 149552a..8529a86 100644
|
||||
--- a/lib/isc/Makefile.in
|
||||
+++ b/lib/isc/Makefile.in
|
||||
@@ -60,7 +60,7 @@ OBJS = @ISC_EXTRA_OBJS@ @ISC_PK11_O@ @ISC_PK11_RESULT_O@ \
|
||||
@ -91,7 +91,7 @@ index 0fd0837..8ad54bb 100644
|
||||
- safe.@O@ serial.@O@ siphash.@O@ sha1.@O@ sha2.@O@ sockaddr.@O@ stats.@O@ \
|
||||
+ serial.@O@ siphash.@O@ sha1.@O@ sha2.@O@ sockaddr.@O@ stats.@O@ \
|
||||
string.@O@ strtoul.@O@ symtab.@O@ task.@O@ taskpool.@O@ \
|
||||
tm.@O@ timer.@O@ version.@O@ \
|
||||
tm.@O@ timer.@O@ utf8.@O@ version.@O@ \
|
||||
${UNIXOBJS} ${NLSOBJS} ${THREADOBJS}
|
||||
@@ -79,7 +79,7 @@ SRCS = @ISC_EXTRA_SRCS@ @ISC_PK11_C@ @ISC_PK11_RESULT_C@ \
|
||||
netaddr.c netscope.c pool.c ondestroy.c \
|
||||
@ -100,7 +100,7 @@ index 0fd0837..8ad54bb 100644
|
||||
- safe.c serial.c siphash.c sha1.c sha2.c sockaddr.c stats.c string.c \
|
||||
+ serial.c siphash.c sha1.c sha2.c sockaddr.c stats.c string.c \
|
||||
strtoul.c symtab.c task.c taskpool.c timer.c \
|
||||
tm.c version.c
|
||||
tm.c utf8.c version.c
|
||||
|
||||
@@ -95,10 +95,6 @@ TESTDIRS = @UNITTESTS@
|
||||
|
||||
@ -284,5 +284,5 @@ index 266ac75..60e9181 100644
|
||||
|
||||
return (cmocka_run_group_tests(tests, NULL, NULL));
|
||||
--
|
||||
2.20.1
|
||||
2.26.2
|
||||
|
||||
|
@ -1,65 +0,0 @@
|
||||
From f9a37643528dc83b981156d0a1cf52e3d9a38322 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= <michal@isc.org>
|
||||
Date: Mon, 2 Dec 2019 15:15:06 +0100
|
||||
Subject: [PATCH] Fix GeoIP2 memory leak upon reconfiguration
|
||||
|
||||
Loaded GeoIP2 databases are only released when named is shut down, but
|
||||
not during server reconfiguration. This causes memory to be leaked
|
||||
every time "rndc reconfig" or "rndc reload" is used, as long as any
|
||||
GeoIP2 database is in use. Fix by releasing any loaded GeoIP2 databases
|
||||
before reloading them. Do not call dns_geoip_shutdown() until server
|
||||
shutdown as that function releases the memory context used for caching
|
||||
GeoIP2 lookup results.
|
||||
|
||||
(cherry picked from commit 670afbe84a87e202fa795079d9d6d1639bcf391d)
|
||||
(cherry picked from commit 95a5589fa2ac3956fecfef780158a2745718c860)
|
||||
---
|
||||
bin/named/geoip.c | 2 --
|
||||
bin/named/server.c | 6 ++++++
|
||||
2 files changed, 6 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/bin/named/geoip.c b/bin/named/geoip.c
|
||||
index d560f8fbcf..0b11f6b803 100644
|
||||
--- a/bin/named/geoip.c
|
||||
+++ b/bin/named/geoip.c
|
||||
@@ -243,6 +243,4 @@ ns_geoip_shutdown(void) {
|
||||
ns_g_geoip->domain = NULL;
|
||||
}
|
||||
#endif /* HAVE_GEOIP2 */
|
||||
-
|
||||
- dns_geoip_shutdown();
|
||||
}
|
||||
diff --git a/bin/named/server.c b/bin/named/server.c
|
||||
index ebe7ad4702..4d7d2210ff 100644
|
||||
--- a/bin/named/server.c
|
||||
+++ b/bin/named/server.c
|
||||
@@ -72,6 +72,7 @@
|
||||
#include <dns/events.h>
|
||||
#include <dns/forward.h>
|
||||
#include <dns/fixedname.h>
|
||||
+#include <dns/geoip.h>
|
||||
#include <dns/journal.h>
|
||||
#include <dns/keytable.h>
|
||||
#include <dns/keyvalues.h>
|
||||
@@ -7684,6 +7685,10 @@ load_configuration(const char *filename, ns_server_t *server,
|
||||
isc__socketmgr_setreserved(ns_g_socketmgr, reserved);
|
||||
|
||||
#if defined(HAVE_GEOIP) || defined(HAVE_GEOIP2)
|
||||
+ /*
|
||||
+ * Release any previously opened GeoIP2 databases.
|
||||
+ */
|
||||
+ ns_geoip_shutdown();
|
||||
/*
|
||||
* Initialize GeoIP databases from the configured location.
|
||||
* This should happen before configuring any ACLs, so that we
|
||||
@@ -9030,6 +9035,7 @@ shutdown_server(isc_task_t *task, isc_event_t *event) {
|
||||
#endif
|
||||
#if defined(HAVE_GEOIP) || defined(HAVE_GEOIP2)
|
||||
ns_geoip_shutdown();
|
||||
+ dns_geoip_shutdown();
|
||||
#endif /* HAVE_GEOIP || HAVE_GEOIP2 */
|
||||
|
||||
dns_db_detach(&server->in_roothints);
|
||||
--
|
||||
2.21.1
|
||||
|
31
SOURCES/bind-9.11-rh1859454.patch
Normal file
31
SOURCES/bind-9.11-rh1859454.patch
Normal file
@ -0,0 +1,31 @@
|
||||
From 30753514ac06111da5b677fe7cdbafd696b1d620 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
|
||||
Date: Wed, 22 Jul 2020 18:55:02 +0200
|
||||
Subject: [PATCH] Prevent crash on dst initialization failure
|
||||
|
||||
server might be created, but not yet fully initialized, when fatal
|
||||
function is called. Check both server and task before attaching
|
||||
exclusive task.
|
||||
|
||||
(cherry picked from commit c5e7152cf04f75d0fe00163f076f4cc3cafce259)
|
||||
(cherry picked from commit 35fbfaa4981333286437f26557db26863d4c5299)
|
||||
---
|
||||
bin/named/server.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/bin/named/server.c b/bin/named/server.c
|
||||
index 3cd8daf99e..38780ad3d7 100644
|
||||
--- a/bin/named/server.c
|
||||
+++ b/bin/named/server.c
|
||||
@@ -9341,7 +9341,7 @@ ns_server_destroy(ns_server_t **serverp) {
|
||||
|
||||
static void
|
||||
fatal(ns_server_t *server, const char *msg, isc_result_t result) {
|
||||
- if (server != NULL) {
|
||||
+ if (server != NULL && server->task != NULL) {
|
||||
/*
|
||||
* Prevent races between the OpenSSL on_exit registered
|
||||
* function and any other OpenSSL calls from other tasks
|
||||
--
|
||||
2.26.2
|
||||
|
@ -1,90 +0,0 @@
|
||||
From 7e2d9531a79d289ee99dd436da14efb6d9a505fc Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
|
||||
Date: Wed, 3 Jun 2020 14:42:11 +0200
|
||||
Subject: [PATCH] Change the invalid CIDR from parser error to warning
|
||||
|
||||
In [RT #43367], the BIND 9 changed the strictness of address / prefix
|
||||
length checks:
|
||||
|
||||
Check prefixes in acls to make sure the address and
|
||||
prefix lengths are consistent. Warn only in
|
||||
BIND 9.11 and earlier.
|
||||
|
||||
Unfortunately, a regression slipped in and the check was made an error
|
||||
also in the BIND 9.11. This commit fixes the regression, but turning
|
||||
the error into a warning.
|
||||
---
|
||||
bin/tests/system/checkconf/tests.sh | 9 +++++++++
|
||||
...conf => warn-address-prefix-length-mismatch.conf} | 12 ++++++++++--
|
||||
lib/isccfg/parser.c | 9 ---------
|
||||
util/copyrights | 2 +-
|
||||
4 files changed, 20 insertions(+), 12 deletions(-)
|
||||
rename bin/tests/system/checkconf/{bad-ipv4-prefix-dotted2.conf => warn-address-prefix-length-mismatch.conf} (70%)
|
||||
|
||||
diff --git a/bin/tests/system/checkconf/tests.sh b/bin/tests/system/checkconf/tests.sh
|
||||
index 85fb4839e9..d2b0daa35c 100644
|
||||
--- a/bin/tests/system/checkconf/tests.sh
|
||||
+++ b/bin/tests/system/checkconf/tests.sh
|
||||
@@ -386,6 +386,15 @@ grep "dlv.isc.org has been shut down" < checkconf.out$n > /dev/null || ret=1
|
||||
if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
|
||||
status=`expr $status + $ret`
|
||||
|
||||
+n=`expr $n + 1`
|
||||
+echo_i "check that invalid address/prefix length generates a warning ($n)"
|
||||
+ret=0
|
||||
+$CHECKCONF warn-address-prefix-length-mismatch.conf > checkconf.out$n 2>/dev/null || ret=1
|
||||
+LINES=$(grep -c "address/prefix length mismatch" < checkconf.out$n) || ret=1
|
||||
+[ "$LINES" -eq 8 ] || ret=1
|
||||
+if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
|
||||
+status=`expr $status + $ret`
|
||||
+
|
||||
n=`expr $n + 1`
|
||||
echo_i "check that 'dnssec-lookaside . trust-anchor dlv.example.com;' doesn't generates a warning ($n)"
|
||||
ret=0
|
||||
diff --git a/bin/tests/system/checkconf/bad-ipv4-prefix-dotted2.conf b/bin/tests/system/checkconf/warn-address-prefix-length-mismatch.conf
|
||||
similarity index 70%
|
||||
rename from bin/tests/system/checkconf/bad-ipv4-prefix-dotted2.conf
|
||||
rename to bin/tests/system/checkconf/warn-address-prefix-length-mismatch.conf
|
||||
index 2c768c7e1a..5e3bc3f6ee 100644
|
||||
--- a/bin/tests/system/checkconf/bad-ipv4-prefix-dotted2.conf
|
||||
+++ b/bin/tests/system/checkconf/warn-address-prefix-length-mismatch.conf
|
||||
@@ -9,6 +9,14 @@
|
||||
* information regarding copyright ownership.
|
||||
*/
|
||||
|
||||
-acl myacl {
|
||||
- 127.1/8; /* No-zero bits */
|
||||
+zone example {
|
||||
+ type master;
|
||||
+ file "example.db";
|
||||
+ auto-dnssec maintain;
|
||||
+ allow-update {
|
||||
+ 192.0.2.64/24;
|
||||
+ 192.0.2.128/24;
|
||||
+ 198.51.100.255/24;
|
||||
+ 203.0.113.2/24;
|
||||
+ };
|
||||
};
|
||||
diff --git a/lib/isccfg/parser.c b/lib/isccfg/parser.c
|
||||
index e2af054661..44a1dfc37a 100644
|
||||
--- a/lib/isccfg/parser.c
|
||||
+++ b/lib/isccfg/parser.c
|
||||
@@ -2634,15 +2634,6 @@ cfg_parse_netprefix(cfg_parser_t *pctx, const cfg_type_t *type,
|
||||
"invalid prefix length");
|
||||
return (ISC_R_RANGE);
|
||||
}
|
||||
- result = isc_netaddr_prefixok(&netaddr, prefixlen);
|
||||
- if (result != ISC_R_SUCCESS) {
|
||||
- char buf[ISC_NETADDR_FORMATSIZE + 1];
|
||||
- isc_netaddr_format(&netaddr, buf, sizeof(buf));
|
||||
- cfg_parser_error(pctx, CFG_LOG_NOPREP,
|
||||
- "'%s/%u': address/prefix length "
|
||||
- "mismatch", buf, prefixlen);
|
||||
- return (ISC_R_FAILURE);
|
||||
- }
|
||||
} else {
|
||||
if (expectprefix) {
|
||||
cfg_parser_error(pctx, CFG_LOG_NEAR,
|
||||
--
|
||||
GitLab
|
||||
|
@ -1,4 +1,4 @@
|
||||
From 7e61714a5d1509ec79af42391e41eb1afc53063a Mon Sep 17 00:00:00 2001
|
||||
From 5c29299e43db5a4e6f8b1b07af84dfe1687c4c2b Mon Sep 17 00:00:00 2001
|
||||
From: Evan Hunt <each@isc.org>
|
||||
Date: Tue, 12 Sep 2017 19:05:46 -0700
|
||||
Subject: [PATCH] rebased rt31459c
|
||||
@ -71,10 +71,10 @@ index 5015abb..295e16f 100644
|
||||
&entropy_source,
|
||||
randomfile,
|
||||
diff --git a/bin/dnssec/dnssec-dsfromkey.c b/bin/dnssec/dnssec-dsfromkey.c
|
||||
index 2c0c308..3e585af 100644
|
||||
index d9d6bb9..de4b15f 100644
|
||||
--- a/bin/dnssec/dnssec-dsfromkey.c
|
||||
+++ b/bin/dnssec/dnssec-dsfromkey.c
|
||||
@@ -494,14 +494,14 @@ main(int argc, char **argv) {
|
||||
@@ -498,14 +498,14 @@ main(int argc, char **argv) {
|
||||
|
||||
if (ectx == NULL)
|
||||
setup_entropy(mctx, NULL, &ectx);
|
||||
@ -92,7 +92,7 @@ index 2c0c308..3e585af 100644
|
||||
isc_entropy_stopcallbacksources(ectx);
|
||||
|
||||
setup_logging(mctx, &log);
|
||||
@@ -571,8 +571,8 @@ main(int argc, char **argv) {
|
||||
@@ -574,8 +574,8 @@ main(int argc, char **argv) {
|
||||
if (dns_rdataset_isassociated(&rdataset))
|
||||
dns_rdataset_disassociate(&rdataset);
|
||||
cleanup_logging(&log);
|
||||
@ -103,10 +103,10 @@ index 2c0c308..3e585af 100644
|
||||
dns_name_destroy();
|
||||
if (verbose > 10)
|
||||
diff --git a/bin/dnssec/dnssec-importkey.c b/bin/dnssec/dnssec-importkey.c
|
||||
index 0d1e7f8..79c4d74 100644
|
||||
index d65a514..04b3094 100644
|
||||
--- a/bin/dnssec/dnssec-importkey.c
|
||||
+++ b/bin/dnssec/dnssec-importkey.c
|
||||
@@ -407,14 +407,14 @@ main(int argc, char **argv) {
|
||||
@@ -404,14 +404,14 @@ main(int argc, char **argv) {
|
||||
|
||||
if (ectx == NULL)
|
||||
setup_entropy(mctx, NULL, &ectx);
|
||||
@ -124,7 +124,7 @@ index 0d1e7f8..79c4d74 100644
|
||||
isc_entropy_stopcallbacksources(ectx);
|
||||
|
||||
setup_logging(mctx, &log);
|
||||
@@ -458,8 +458,8 @@ main(int argc, char **argv) {
|
||||
@@ -455,8 +455,8 @@ main(int argc, char **argv) {
|
||||
if (dns_rdataset_isassociated(&rdataset))
|
||||
dns_rdataset_disassociate(&rdataset);
|
||||
cleanup_logging(&log);
|
||||
@ -167,10 +167,10 @@ index 7d82dbf..10f9359 100644
|
||||
if (verbose > 10)
|
||||
isc_mem_stats(mctx, stdout);
|
||||
diff --git a/bin/dnssec/dnssec-settime.c b/bin/dnssec/dnssec-settime.c
|
||||
index f355903..6a2ca59 100644
|
||||
index 7afcaee..1cfa511 100644
|
||||
--- a/bin/dnssec/dnssec-settime.c
|
||||
+++ b/bin/dnssec/dnssec-settime.c
|
||||
@@ -382,14 +382,14 @@ main(int argc, char **argv) {
|
||||
@@ -380,14 +380,14 @@ main(int argc, char **argv) {
|
||||
|
||||
if (ectx == NULL)
|
||||
setup_entropy(mctx, NULL, &ectx);
|
||||
@ -188,7 +188,7 @@ index f355903..6a2ca59 100644
|
||||
isc_entropy_stopcallbacksources(ectx);
|
||||
|
||||
if (predecessor != NULL) {
|
||||
@@ -674,8 +674,8 @@ main(int argc, char **argv) {
|
||||
@@ -672,8 +672,8 @@ main(int argc, char **argv) {
|
||||
if (prevkey != NULL)
|
||||
dst_key_free(&prevkey);
|
||||
dst_key_free(&key);
|
||||
@ -199,7 +199,7 @@ index f355903..6a2ca59 100644
|
||||
if (verbose > 10)
|
||||
isc_mem_stats(mctx, stdout);
|
||||
diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c
|
||||
index c6a0313..6ddaebe 100644
|
||||
index 319a805..27ae4d4 100644
|
||||
--- a/bin/dnssec/dnssec-signzone.c
|
||||
+++ b/bin/dnssec/dnssec-signzone.c
|
||||
@@ -3460,14 +3460,15 @@ main(int argc, char *argv[]) {
|
||||
@ -257,7 +257,7 @@ index 4c293bf..3263cbc 100644
|
||||
|
||||
rdclass = strtoclass(classname);
|
||||
diff --git a/bin/dnssec/dnssectool.c b/bin/dnssec/dnssectool.c
|
||||
index fbc7ece..31a99e7 100644
|
||||
index 618ec5b..5654435 100644
|
||||
--- a/bin/dnssec/dnssectool.c
|
||||
+++ b/bin/dnssec/dnssectool.c
|
||||
@@ -34,6 +34,7 @@
|
||||
@ -293,7 +293,7 @@ index fbc7ece..31a99e7 100644
|
||||
usekeyboard);
|
||||
|
||||
diff --git a/bin/named/server.c b/bin/named/server.c
|
||||
index 7d85d3b..c782073 100644
|
||||
index 4e503e5..f27071f 100644
|
||||
--- a/bin/named/server.c
|
||||
+++ b/bin/named/server.c
|
||||
@@ -36,6 +36,7 @@
|
||||
@ -304,7 +304,7 @@ index 7d85d3b..c782073 100644
|
||||
#include <isc/portset.h>
|
||||
#include <isc/print.h>
|
||||
#include <isc/random.h>
|
||||
@@ -8211,6 +8212,10 @@ load_configuration(const char *filename, ns_server_t *server,
|
||||
@@ -8217,6 +8218,10 @@ load_configuration(const char *filename, ns_server_t *server,
|
||||
"no source of entropy found");
|
||||
} else {
|
||||
const char *randomdev = cfg_obj_asstring(obj);
|
||||
@ -315,7 +315,7 @@ index 7d85d3b..c782073 100644
|
||||
int level = ISC_LOG_ERROR;
|
||||
result = isc_entropy_createfilesource(ns_g_entropy,
|
||||
randomdev);
|
||||
@@ -8245,6 +8250,7 @@ load_configuration(const char *filename, ns_server_t *server,
|
||||
@@ -8251,6 +8256,7 @@ load_configuration(const char *filename, ns_server_t *server,
|
||||
}
|
||||
isc_entropy_detach(&ns_g_fallbackentropy);
|
||||
}
|
||||
@ -688,7 +688,7 @@ index bf6dbb6..0416b21 100644
|
||||
parse_args(false, argc, argv);
|
||||
if (server == NULL)
|
||||
diff --git a/configure b/configure
|
||||
index ed002e0..a578874 100755
|
||||
index 6d05371..33689c9 100755
|
||||
--- a/configure
|
||||
+++ b/configure
|
||||
@@ -640,6 +640,7 @@ ac_includes_default="\
|
||||
@ -699,7 +699,7 @@ index ed002e0..a578874 100755
|
||||
BUILD_LIBS
|
||||
BUILD_LDFLAGS
|
||||
BUILD_CPPFLAGS
|
||||
@@ -821,6 +822,7 @@ XMLSTATS
|
||||
@@ -823,6 +824,7 @@ LIBXML2_CFLAGS
|
||||
NZDTARGETS
|
||||
NZDSRCS
|
||||
NZD_TOOLS
|
||||
@ -707,7 +707,7 @@ index ed002e0..a578874 100755
|
||||
PKCS11_TEST
|
||||
PKCS11_ED25519
|
||||
PKCS11_GOST
|
||||
@@ -1045,6 +1047,7 @@ with_eddsa
|
||||
@@ -1047,6 +1049,7 @@ with_eddsa
|
||||
with_aes
|
||||
enable_openssl_hash
|
||||
with_cc_alg
|
||||
@ -715,7 +715,7 @@ index ed002e0..a578874 100755
|
||||
with_lmdb
|
||||
with_libxml2
|
||||
with_libjson
|
||||
@@ -1744,6 +1747,7 @@ Optional Features:
|
||||
@@ -1749,6 +1752,7 @@ Optional Features:
|
||||
--enable-threads enable multithreading
|
||||
--enable-native-pkcs11 use native PKCS11 for all crypto [default=no]
|
||||
--enable-openssl-hash use OpenSSL for hash functions [default=no]
|
||||
@ -723,7 +723,7 @@ index ed002e0..a578874 100755
|
||||
--enable-largefile 64-bit file support
|
||||
--enable-backtrace log stack backtrace on abort [default=yes]
|
||||
--enable-symtable use internal symbol table for backtrace
|
||||
@@ -17115,6 +17119,7 @@ case "$use_openssl" in
|
||||
@@ -17144,6 +17148,7 @@ case "$use_openssl" in
|
||||
$as_echo "disabled because of native PKCS11" >&6; }
|
||||
DST_OPENSSL_INC=""
|
||||
CRYPTO="-DPKCS11CRYPTO"
|
||||
@ -731,7 +731,7 @@ index ed002e0..a578874 100755
|
||||
OPENSSLECDSALINKOBJS=""
|
||||
OPENSSLECDSALINKSRCS=""
|
||||
OPENSSLEDDSALINKOBJS=""
|
||||
@@ -17129,6 +17134,7 @@ $as_echo "disabled because of native PKCS11" >&6; }
|
||||
@@ -17158,6 +17163,7 @@ $as_echo "disabled because of native PKCS11" >&6; }
|
||||
$as_echo "no" >&6; }
|
||||
DST_OPENSSL_INC=""
|
||||
CRYPTO=""
|
||||
@ -739,7 +739,7 @@ index ed002e0..a578874 100755
|
||||
OPENSSLECDSALINKOBJS=""
|
||||
OPENSSLECDSALINKSRCS=""
|
||||
OPENSSLEDDSALINKOBJS=""
|
||||
@@ -17141,6 +17147,7 @@ $as_echo "no" >&6; }
|
||||
@@ -17170,6 +17176,7 @@ $as_echo "no" >&6; }
|
||||
auto)
|
||||
DST_OPENSSL_INC=""
|
||||
CRYPTO=""
|
||||
@ -747,7 +747,7 @@ index ed002e0..a578874 100755
|
||||
OPENSSLECDSALINKOBJS=""
|
||||
OPENSSLECDSALINKSRCS=""
|
||||
OPENSSLEDDSALINKOBJS=""
|
||||
@@ -17150,7 +17157,7 @@ $as_echo "no" >&6; }
|
||||
@@ -17179,7 +17186,7 @@ $as_echo "no" >&6; }
|
||||
OPENSSLLINKOBJS=""
|
||||
OPENSSLLINKSRCS=""
|
||||
as_fn_error $? "OpenSSL was not found in any of $openssldirs; use --with-openssl=/path
|
||||
@ -756,7 +756,7 @@ index ed002e0..a578874 100755
|
||||
;;
|
||||
*)
|
||||
if test "yes" = "$want_native_pkcs11"
|
||||
@@ -17181,6 +17188,7 @@ $as_echo "not found" >&6; }
|
||||
@@ -17210,6 +17217,7 @@ $as_echo "not found" >&6; }
|
||||
as_fn_error $? "\"$use_openssl/include/openssl/opensslv.h\" not found" "$LINENO" 5
|
||||
fi
|
||||
CRYPTO='-DOPENSSL'
|
||||
@ -764,7 +764,7 @@ index ed002e0..a578874 100755
|
||||
if test "/usr" = "$use_openssl"
|
||||
then
|
||||
DST_OPENSSL_INC=""
|
||||
@@ -17806,8 +17814,6 @@ fi
|
||||
@@ -17835,8 +17843,6 @@ fi
|
||||
# Use OpenSSL for hash functions
|
||||
#
|
||||
|
||||
@ -773,7 +773,7 @@ index ed002e0..a578874 100755
|
||||
ISC_PLATFORM_OPENSSLHASH="#undef ISC_PLATFORM_OPENSSLHASH"
|
||||
case $want_openssl_hash in
|
||||
yes)
|
||||
@@ -18182,6 +18188,86 @@ if test "rt" = "$have_clock_gt"; then
|
||||
@@ -18211,6 +18217,86 @@ if test "rt" = "$have_clock_gt"; then
|
||||
LIBS="-lrt $LIBS"
|
||||
fi
|
||||
|
||||
@ -860,7 +860,7 @@ index ed002e0..a578874 100755
|
||||
#
|
||||
# was --with-lmdb specified?
|
||||
#
|
||||
@@ -20264,9 +20350,12 @@ _ACEOF
|
||||
@@ -20441,9 +20527,12 @@ _ACEOF
|
||||
if ac_fn_c_try_compile "$LINENO"; then :
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: size_t for buflen; int for flags" >&5
|
||||
$as_echo "size_t for buflen; int for flags" >&6; }
|
||||
@ -875,7 +875,7 @@ index ed002e0..a578874 100755
|
||||
|
||||
$as_echo "#define IRS_GETNAMEINFO_FLAGS_T int" >>confdefs.h
|
||||
|
||||
@@ -21581,12 +21670,7 @@ ISC_PLATFORM_USEGCCASM="#undef ISC_PLATFORM_USEGCCASM"
|
||||
@@ -21758,12 +21847,7 @@ ISC_PLATFORM_USEGCCASM="#undef ISC_PLATFORM_USEGCCASM"
|
||||
ISC_PLATFORM_USESTDASM="#undef ISC_PLATFORM_USESTDASM"
|
||||
ISC_PLATFORM_USEMACASM="#undef ISC_PLATFORM_USEMACASM"
|
||||
if test "yes" = "$use_atomic"; then
|
||||
@ -889,7 +889,7 @@ index ed002e0..a578874 100755
|
||||
# version HP92453-01 B.11.11.23709.GP, which incorrectly rejects
|
||||
# declarations like `int a3[[(sizeof (unsigned char)) >= 0]];'.
|
||||
# This bug is HP SR number 8606223364.
|
||||
@@ -21619,6 +21703,11 @@ cat >>confdefs.h <<_ACEOF
|
||||
@@ -21796,6 +21880,11 @@ cat >>confdefs.h <<_ACEOF
|
||||
_ACEOF
|
||||
|
||||
|
||||
@ -901,7 +901,7 @@ index ed002e0..a578874 100755
|
||||
if test $ac_cv_sizeof_void_p = 8; then
|
||||
arch=x86_64
|
||||
have_xaddq=yes
|
||||
@@ -21627,39 +21716,6 @@ _ACEOF
|
||||
@@ -21804,39 +21893,6 @@ _ACEOF
|
||||
fi
|
||||
;;
|
||||
x86_64-*|amd64-*)
|
||||
@ -941,7 +941,7 @@ index ed002e0..a578874 100755
|
||||
if test $ac_cv_sizeof_void_p = 8; then
|
||||
arch=x86_64
|
||||
have_xaddq=yes
|
||||
@@ -21690,6 +21746,10 @@ $as_echo_n "checking architecture type for atomic operations... " >&6; }
|
||||
@@ -21867,6 +21923,10 @@ $as_echo_n "checking architecture type for atomic operations... " >&6; }
|
||||
$as_echo "$arch" >&6; }
|
||||
fi
|
||||
|
||||
@ -952,7 +952,7 @@ index ed002e0..a578874 100755
|
||||
if test "yes" = "$have_atomic"; then
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking compiler support for inline assembly code" >&5
|
||||
$as_echo_n "checking compiler support for inline assembly code... " >&6; }
|
||||
@@ -24244,6 +24304,30 @@ CFLAGS="$CFLAGS $SO_CFLAGS"
|
||||
@@ -24421,6 +24481,30 @@ CFLAGS="$CFLAGS $SO_CFLAGS"
|
||||
#
|
||||
dlzdir='${DLZ_DRIVER_DIR}'
|
||||
|
||||
@ -983,7 +983,7 @@ index ed002e0..a578874 100755
|
||||
#
|
||||
# Private autoconf macro to simplify configuring drivers:
|
||||
#
|
||||
@@ -24574,11 +24658,11 @@ $as_echo "no" >&6; }
|
||||
@@ -24751,11 +24835,11 @@ $as_echo "no" >&6; }
|
||||
$as_echo "using mysql with libs ${mysql_lib} and includes ${mysql_include}" >&6; }
|
||||
;;
|
||||
*)
|
||||
@ -998,7 +998,7 @@ index ed002e0..a578874 100755
|
||||
fi
|
||||
|
||||
CONTRIB_DLZ="$CONTRIB_DLZ -DDLZ_MYSQL"
|
||||
@@ -24663,7 +24747,7 @@ $as_echo "" >&6; }
|
||||
@@ -24840,7 +24924,7 @@ $as_echo "" >&6; }
|
||||
# Check other locations for includes.
|
||||
# Order is important (sigh).
|
||||
|
||||
@ -1007,7 +1007,7 @@ index ed002e0..a578874 100755
|
||||
# include a blank element first
|
||||
for d in "" $bdb_incdirs
|
||||
do
|
||||
@@ -24688,57 +24772,9 @@ $as_echo "" >&6; }
|
||||
@@ -24865,57 +24949,9 @@ $as_echo "" >&6; }
|
||||
bdb_libnames="db53 db-5.3 db51 db-5.1 db48 db-4.8 db47 db-4.7 db46 db-4.6 db45 db-4.5 db44 db-4.4 db43 db-4.3 db42 db-4.2 db41 db-4.1 db"
|
||||
for d in $bdb_libnames
|
||||
do
|
||||
@ -1067,7 +1067,7 @@ index ed002e0..a578874 100755
|
||||
break
|
||||
fi
|
||||
done
|
||||
@@ -24897,10 +24933,10 @@ $as_echo "no" >&6; }
|
||||
@@ -25074,10 +25110,10 @@ $as_echo "no" >&6; }
|
||||
DLZ_DRIVER_INCLUDES="$DLZ_DRIVER_INCLUDES -I$use_dlz_ldap/include"
|
||||
DLZ_DRIVER_LDAP_INCLUDES="-I$use_dlz_ldap/include"
|
||||
fi
|
||||
@ -1081,7 +1081,7 @@ index ed002e0..a578874 100755
|
||||
fi
|
||||
|
||||
|
||||
@@ -24986,11 +25022,11 @@ fi
|
||||
@@ -25163,11 +25199,11 @@ fi
|
||||
odbcdirs="/usr /usr/local /usr/pkg"
|
||||
for d in $odbcdirs
|
||||
do
|
||||
@ -1095,7 +1095,7 @@ index ed002e0..a578874 100755
|
||||
break
|
||||
fi
|
||||
done
|
||||
@@ -25265,6 +25301,8 @@ DNS_CRYPTO_LIBS="$NEWFLAGS"
|
||||
@@ -25442,6 +25478,8 @@ DNS_CRYPTO_LIBS="$NEWFLAGS"
|
||||
|
||||
|
||||
|
||||
@ -1104,7 +1104,7 @@ index ed002e0..a578874 100755
|
||||
#
|
||||
# Commands to run at the end of config.status.
|
||||
# Don't just put these into configure, it won't work right if somebody
|
||||
@@ -27644,6 +27682,8 @@ report() {
|
||||
@@ -27819,6 +27857,8 @@ report() {
|
||||
echo " IPv6 support (--enable-ipv6)"
|
||||
test "X$CRYPTO" = "X" -o "yes" = "$want_native_pkcs11" || \
|
||||
echo " OpenSSL cryptography/DNSSEC (--with-openssl)"
|
||||
@ -1113,7 +1113,7 @@ index ed002e0..a578874 100755
|
||||
test "X$PYTHON" = "X" || echo " Python tools (--with-python)"
|
||||
test "X$XMLSTATS" = "X" || echo " XML statistics (--with-libxml2)"
|
||||
test "X$JSONSTATS" = "X" || echo " JSON statistics (--with-libjson)"
|
||||
@@ -27684,6 +27724,8 @@ report() {
|
||||
@@ -27859,6 +27899,8 @@ report() {
|
||||
echo " Very verbose query trace logging (--enable-querytrace)"
|
||||
test "no" = "$with_cmocka" || echo " CMocka Unit Testing Framework (--with-cmocka)"
|
||||
|
||||
@ -1122,7 +1122,7 @@ index ed002e0..a578874 100755
|
||||
echo " Dynamically loadable zone (DLZ) drivers:"
|
||||
test "no" = "$use_dlz_bdb" || \
|
||||
echo " Berkeley DB (--with-dlz-bdb)"
|
||||
@@ -27731,6 +27773,8 @@ report() {
|
||||
@@ -27906,6 +27948,8 @@ report() {
|
||||
echo " ECDSA algorithm support (--with-ecdsa)"
|
||||
test "X$CRYPTO" = "X" -o "yes" = "$OPENSSL_ED25519" -o "yes" = "$PKCS11_ED25519" || \
|
||||
echo " EDDSA algorithm support (--with-eddsa)"
|
||||
@ -1132,10 +1132,10 @@ index ed002e0..a578874 100755
|
||||
test "yes" = "$enable_seccomp" || \
|
||||
echo " Use libseccomp system call filtering (--enable-seccomp)"
|
||||
diff --git a/configure.ac b/configure.ac
|
||||
index 45a8126..bb1345b 100644
|
||||
index d10cde5..68bead8 100644
|
||||
--- a/configure.ac
|
||||
+++ b/configure.ac
|
||||
@@ -1537,6 +1537,7 @@ case "$use_openssl" in
|
||||
@@ -1550,6 +1550,7 @@ case "$use_openssl" in
|
||||
AC_MSG_RESULT(disabled because of native PKCS11)
|
||||
DST_OPENSSL_INC=""
|
||||
CRYPTO="-DPKCS11CRYPTO"
|
||||
@ -1143,7 +1143,7 @@ index 45a8126..bb1345b 100644
|
||||
OPENSSLECDSALINKOBJS=""
|
||||
OPENSSLECDSALINKSRCS=""
|
||||
OPENSSLEDDSALINKOBJS=""
|
||||
@@ -1550,6 +1551,7 @@ case "$use_openssl" in
|
||||
@@ -1563,6 +1564,7 @@ case "$use_openssl" in
|
||||
AC_MSG_RESULT(no)
|
||||
DST_OPENSSL_INC=""
|
||||
CRYPTO=""
|
||||
@ -1151,7 +1151,7 @@ index 45a8126..bb1345b 100644
|
||||
OPENSSLECDSALINKOBJS=""
|
||||
OPENSSLECDSALINKSRCS=""
|
||||
OPENSSLEDDSALINKOBJS=""
|
||||
@@ -1562,6 +1564,7 @@ case "$use_openssl" in
|
||||
@@ -1575,6 +1577,7 @@ case "$use_openssl" in
|
||||
auto)
|
||||
DST_OPENSSL_INC=""
|
||||
CRYPTO=""
|
||||
@ -1159,7 +1159,7 @@ index 45a8126..bb1345b 100644
|
||||
OPENSSLECDSALINKOBJS=""
|
||||
OPENSSLECDSALINKSRCS=""
|
||||
OPENSSLEDDSALINKOBJS=""
|
||||
@@ -1572,7 +1575,7 @@ case "$use_openssl" in
|
||||
@@ -1585,7 +1588,7 @@ case "$use_openssl" in
|
||||
OPENSSLLINKSRCS=""
|
||||
AC_MSG_ERROR(
|
||||
[OpenSSL was not found in any of $openssldirs; use --with-openssl=/path
|
||||
@ -1168,7 +1168,7 @@ index 45a8126..bb1345b 100644
|
||||
;;
|
||||
*)
|
||||
if test "yes" = "$want_native_pkcs11"
|
||||
@@ -1602,6 +1605,7 @@ If you don't want OpenSSL, use --without-openssl])
|
||||
@@ -1615,6 +1618,7 @@ If you don't want OpenSSL, use --without-openssl])
|
||||
AC_MSG_ERROR(["$use_openssl/include/openssl/opensslv.h" not found])
|
||||
fi
|
||||
CRYPTO='-DOPENSSL'
|
||||
@ -1176,7 +1176,7 @@ index 45a8126..bb1345b 100644
|
||||
if test "/usr" = "$use_openssl"
|
||||
then
|
||||
DST_OPENSSL_INC=""
|
||||
@@ -2037,7 +2041,6 @@ fi
|
||||
@@ -2050,7 +2054,6 @@ fi
|
||||
# Use OpenSSL for hash functions
|
||||
#
|
||||
|
||||
@ -1184,7 +1184,7 @@ index 45a8126..bb1345b 100644
|
||||
ISC_PLATFORM_OPENSSLHASH="#undef ISC_PLATFORM_OPENSSLHASH"
|
||||
case $want_openssl_hash in
|
||||
yes)
|
||||
@@ -2309,6 +2312,67 @@ if test "rt" = "$have_clock_gt"; then
|
||||
@@ -2322,6 +2325,67 @@ if test "rt" = "$have_clock_gt"; then
|
||||
LIBS="-lrt $LIBS"
|
||||
fi
|
||||
|
||||
@ -1252,7 +1252,7 @@ index 45a8126..bb1345b 100644
|
||||
#
|
||||
# was --with-lmdb specified?
|
||||
#
|
||||
@@ -4105,12 +4169,12 @@ ISC_PLATFORM_USEGCCASM="#undef ISC_PLATFORM_USEGCCASM"
|
||||
@@ -4098,12 +4162,12 @@ ISC_PLATFORM_USEGCCASM="#undef ISC_PLATFORM_USEGCCASM"
|
||||
ISC_PLATFORM_USESTDASM="#undef ISC_PLATFORM_USESTDASM"
|
||||
ISC_PLATFORM_USEMACASM="#undef ISC_PLATFORM_USEMACASM"
|
||||
if test "yes" = "$use_atomic"; then
|
||||
@ -1266,7 +1266,7 @@ index 45a8126..bb1345b 100644
|
||||
if test $ac_cv_sizeof_void_p = 8; then
|
||||
arch=x86_64
|
||||
have_xaddq=yes
|
||||
@@ -4119,7 +4183,6 @@ if test "yes" = "$use_atomic"; then
|
||||
@@ -4112,7 +4176,6 @@ if test "yes" = "$use_atomic"; then
|
||||
fi
|
||||
;;
|
||||
x86_64-*|amd64-*)
|
||||
@ -1274,7 +1274,7 @@ index 45a8126..bb1345b 100644
|
||||
if test $ac_cv_sizeof_void_p = 8; then
|
||||
arch=x86_64
|
||||
have_xaddq=yes
|
||||
@@ -5527,6 +5590,8 @@ report() {
|
||||
@@ -5518,6 +5581,8 @@ report() {
|
||||
echo " IPv6 support (--enable-ipv6)"
|
||||
test "X$CRYPTO" = "X" -o "yes" = "$want_native_pkcs11" || \
|
||||
echo " OpenSSL cryptography/DNSSEC (--with-openssl)"
|
||||
@ -1283,7 +1283,7 @@ index 45a8126..bb1345b 100644
|
||||
test "X$PYTHON" = "X" || echo " Python tools (--with-python)"
|
||||
test "X$XMLSTATS" = "X" || echo " XML statistics (--with-libxml2)"
|
||||
test "X$JSONSTATS" = "X" || echo " JSON statistics (--with-libjson)"
|
||||
@@ -5567,6 +5632,8 @@ report() {
|
||||
@@ -5558,6 +5623,8 @@ report() {
|
||||
echo " Very verbose query trace logging (--enable-querytrace)"
|
||||
test "no" = "$with_cmocka" || echo " CMocka Unit Testing Framework (--with-cmocka)"
|
||||
|
||||
@ -1292,7 +1292,7 @@ index 45a8126..bb1345b 100644
|
||||
echo " Dynamically loadable zone (DLZ) drivers:"
|
||||
test "no" = "$use_dlz_bdb" || \
|
||||
echo " Berkeley DB (--with-dlz-bdb)"
|
||||
@@ -5614,6 +5681,8 @@ report() {
|
||||
@@ -5605,6 +5672,8 @@ report() {
|
||||
echo " ECDSA algorithm support (--with-ecdsa)"
|
||||
test "X$CRYPTO" = "X" -o "yes" = "$OPENSSL_ED25519" -o "yes" = "$PKCS11_ED25519" || \
|
||||
echo " EDDSA algorithm support (--with-eddsa)"
|
||||
@ -1302,7 +1302,7 @@ index 45a8126..bb1345b 100644
|
||||
test "yes" = "$enable_seccomp" || \
|
||||
echo " Use libseccomp system call filtering (--enable-seccomp)"
|
||||
diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c
|
||||
index ec6e00e..1614afa 100644
|
||||
index 65bf25d..1eccbe7 100644
|
||||
--- a/lib/dns/dst_api.c
|
||||
+++ b/lib/dns/dst_api.c
|
||||
@@ -277,6 +277,12 @@ dst_lib_init2(isc_mem_t *mctx, isc_entropy_t *ectx,
|
||||
@ -1440,7 +1440,7 @@ index 304814b..60543c4 100644
|
||||
isc_hash_destroy();
|
||||
cleanup_db:
|
||||
diff --git a/lib/dns/openssl_link.c b/lib/dns/openssl_link.c
|
||||
index d65ce26..6849732 100644
|
||||
index 13e838f..ffe0a69 100644
|
||||
--- a/lib/dns/openssl_link.c
|
||||
+++ b/lib/dns/openssl_link.c
|
||||
@@ -31,6 +31,7 @@
|
||||
@ -1476,7 +1476,7 @@ index d65ce26..6849732 100644
|
||||
#endif
|
||||
+#endif /* !ISC_PLATFORM_CRYPTORANDOM */
|
||||
|
||||
#if OPENSSL_VERSION_NUMBER >= 0x10000000L && OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
|
||||
#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
|
||||
static void
|
||||
@@ -192,7 +195,7 @@ _set_thread_id(CRYPTO_THREADID *id)
|
||||
isc_result_t
|
||||
@ -1845,10 +1845,10 @@ index 0000000..bd3d164
|
||||
+
|
||||
+#endif
|
||||
diff --git a/lib/dns/win32/libdns.def.in b/lib/dns/win32/libdns.def.in
|
||||
index 5c45d59..34b660c 100644
|
||||
index 63be973..40b21fa 100644
|
||||
--- a/lib/dns/win32/libdns.def.in
|
||||
+++ b/lib/dns/win32/libdns.def.in
|
||||
@@ -1484,6 +1484,13 @@ dst_lib_destroy
|
||||
@@ -1485,6 +1485,13 @@ dst_lib_destroy
|
||||
dst_lib_init
|
||||
dst_lib_init2
|
||||
dst_lib_initmsgcat
|
||||
@ -1863,7 +1863,7 @@ index 5c45d59..34b660c 100644
|
||||
dst_region_computerid
|
||||
dst_result_register
|
||||
diff --git a/lib/isc/entropy.c b/lib/isc/entropy.c
|
||||
index ab2f617..ed05ed6 100644
|
||||
index 907e470..451544d 100644
|
||||
--- a/lib/isc/entropy.c
|
||||
+++ b/lib/isc/entropy.c
|
||||
@@ -104,11 +104,15 @@ struct isc_entropy {
|
||||
@ -1921,10 +1921,10 @@ index ab2f617..ed05ed6 100644
|
||||
+ hook = myhook;
|
||||
+}
|
||||
diff --git a/lib/isc/include/isc/entropy.h b/lib/isc/include/isc/entropy.h
|
||||
index 4bba8e1..632166a 100644
|
||||
index e8733db..c40a18c 100644
|
||||
--- a/lib/isc/include/isc/entropy.h
|
||||
+++ b/lib/isc/include/isc/entropy.h
|
||||
@@ -304,6 +304,18 @@ isc_entropy_usebestsource(isc_entropy_t *ectx, isc_entropysource_t **source,
|
||||
@@ -302,6 +302,18 @@ isc_entropy_usebestsource(isc_entropy_t *ectx, isc_entropysource_t **source,
|
||||
* isc_entropy_createcallbacksource().
|
||||
*/
|
||||
|
||||
@ -1944,10 +1944,10 @@ index 4bba8e1..632166a 100644
|
||||
|
||||
#endif /* ISC_ENTROPY_H */
|
||||
diff --git a/lib/isc/include/isc/platform.h.in b/lib/isc/include/isc/platform.h.in
|
||||
index 9c7c342..ee8dc3e 100644
|
||||
index 61960f1..d22993d 100644
|
||||
--- a/lib/isc/include/isc/platform.h.in
|
||||
+++ b/lib/isc/include/isc/platform.h.in
|
||||
@@ -341,6 +341,11 @@
|
||||
@@ -359,6 +359,11 @@
|
||||
*/
|
||||
@ISC_PLATFORM_HAVESTRINGSH@
|
||||
|
||||
@ -1960,10 +1960,10 @@ index 9c7c342..ee8dc3e 100644
|
||||
* Define if the hash functions must be provided by OpenSSL.
|
||||
*/
|
||||
diff --git a/lib/isc/include/isc/types.h b/lib/isc/include/isc/types.h
|
||||
index 42ff7e0..8d87c44 100644
|
||||
index da9d66f..4205400 100644
|
||||
--- a/lib/isc/include/isc/types.h
|
||||
+++ b/lib/isc/include/isc/types.h
|
||||
@@ -93,6 +93,8 @@ typedef struct isc_time isc_time_t; /*%< Time */
|
||||
@@ -97,6 +97,8 @@ typedef struct isc_time isc_time_t; /*%< Time */
|
||||
typedef struct isc_timer isc_timer_t; /*%< Timer */
|
||||
typedef struct isc_timermgr isc_timermgr_t; /*%< Timer Manager */
|
||||
|
||||
@ -1973,7 +1973,7 @@ index 42ff7e0..8d87c44 100644
|
||||
typedef int (*isc_sockfdwatch_t)(isc_task_t *, isc_socket_t *, void *, int);
|
||||
|
||||
diff --git a/lib/isc/pk11.c b/lib/isc/pk11.c
|
||||
index 8e6ed93..ceb5a2c 100644
|
||||
index 68aebdc..4b85527 100644
|
||||
--- a/lib/isc/pk11.c
|
||||
+++ b/lib/isc/pk11.c
|
||||
@@ -321,14 +321,16 @@ pk11_rand_seed_fromfile(const char *randomfile) {
|
||||
@ -1999,10 +1999,10 @@ index 8e6ed93..ceb5a2c 100644
|
||||
cleanup:
|
||||
if (stream != NULL)
|
||||
diff --git a/lib/isc/win32/include/isc/platform.h.in b/lib/isc/win32/include/isc/platform.h.in
|
||||
index 5b8a2c9..913a2ce 100644
|
||||
index 8ade705..fa72f9d 100644
|
||||
--- a/lib/isc/win32/include/isc/platform.h.in
|
||||
+++ b/lib/isc/win32/include/isc/platform.h.in
|
||||
@@ -69,6 +69,11 @@
|
||||
@@ -73,6 +73,11 @@
|
||||
#define ISC_PLATFORM_NORETURN_PRE __declspec(noreturn)
|
||||
#define ISC_PLATFORM_NORETURN_POST
|
||||
|
||||
@ -2015,7 +2015,7 @@ index 5b8a2c9..913a2ce 100644
|
||||
* Define if the hash functions must be provided by OpenSSL.
|
||||
*/
|
||||
diff --git a/win32utils/Configure b/win32utils/Configure
|
||||
index ccaf067..240fb80 100644
|
||||
index 79d682e..6c78cb2 100644
|
||||
--- a/win32utils/Configure
|
||||
+++ b/win32utils/Configure
|
||||
@@ -382,6 +382,7 @@ my @substdefh = ("ALLOW_FILTER_AAAA",
|
||||
@ -2036,15 +2036,15 @@ index ccaf067..240fb80 100644
|
||||
"fixed-rrset",
|
||||
"intrinsics",
|
||||
"isc-spnego",
|
||||
@@ -581,6 +583,7 @@ my @help = (
|
||||
@@ -580,6 +582,7 @@ my @help = (
|
||||
"\nOptional Features:\n",
|
||||
" enable-intrinsics enable instrinsic/atomic functions [default=yes]\n",
|
||||
" enable-intrinsics enable intrinsic/atomic functions [default=yes]\n",
|
||||
" enable-native-pkcs11 use native PKCS#11 for all crypto [default=no]\n",
|
||||
+" enable-crypto-rand use crypto provider for random [default=yes]\n",
|
||||
" enable-openssl-hash use OpenSSL for hash functions [default=yes]\n",
|
||||
" enable-isc-spnego use SPNEGO from lib/dns [default=yes]\n",
|
||||
" enable-filter-aaaa enable filtering of AAAA records [default=yes]\n",
|
||||
@@ -630,7 +633,9 @@ my $want_clean = "no";
|
||||
@@ -628,7 +631,9 @@ my $want_clean = "no";
|
||||
my $want_unknown = "no";
|
||||
my $unknown_value;
|
||||
my $enable_intrinsics = "yes";
|
||||
@ -2054,7 +2054,7 @@ index ccaf067..240fb80 100644
|
||||
my $enable_openssl_hash = "auto";
|
||||
my $enable_filter_aaaa = "yes";
|
||||
my $enable_isc_spnego = "yes";
|
||||
@@ -850,6 +855,10 @@ sub myenable {
|
||||
@@ -847,6 +852,10 @@ sub myenable {
|
||||
if ($val =~ /^yes$/i) {
|
||||
$enable_native_pkcs11 = "yes";
|
||||
}
|
||||
@ -2065,7 +2065,7 @@ index ccaf067..240fb80 100644
|
||||
} elsif ($key =~ /^openssl-hash$/i) {
|
||||
if ($val =~ /^yes$/i) {
|
||||
$enable_openssl_hash = "yes";
|
||||
@@ -1158,6 +1167,11 @@ if ($verbose) {
|
||||
@@ -1153,6 +1162,11 @@ if ($verbose) {
|
||||
} else {
|
||||
print "native-pkcs11: disabled\n";
|
||||
}
|
||||
@ -2077,7 +2077,7 @@ index ccaf067..240fb80 100644
|
||||
if ($enable_openssl_hash eq "yes") {
|
||||
print "openssl-hash: enabled\n";
|
||||
} else {
|
||||
@@ -1516,6 +1530,7 @@ if ($enable_intrinsics eq "yes") {
|
||||
@@ -1510,6 +1524,7 @@ if ($enable_intrinsics eq "yes") {
|
||||
|
||||
# enable-native-pkcs11
|
||||
if ($enable_native_pkcs11 eq "yes") {
|
||||
@ -2085,7 +2085,7 @@ index ccaf067..240fb80 100644
|
||||
if ($use_openssl eq "auto") {
|
||||
$use_openssl = "no";
|
||||
}
|
||||
@@ -1725,6 +1740,7 @@ if ($use_openssl eq "yes") {
|
||||
@@ -1719,6 +1734,7 @@ if ($use_openssl eq "yes") {
|
||||
$openssl_dll = File::Spec->catdir($openssl_path, "@dirlist[0]");
|
||||
}
|
||||
|
||||
@ -2093,7 +2093,7 @@ index ccaf067..240fb80 100644
|
||||
$configcond{"OPENSSL"} = 1;
|
||||
$configdefd{"CRYPTO"} = "OPENSSL";
|
||||
$configvar{"OPENSSL_PATH"} = "$openssl_path";
|
||||
@@ -2296,6 +2312,15 @@ if ($use_aes eq "yes") {
|
||||
@@ -2290,6 +2306,15 @@ if ($use_aes eq "yes") {
|
||||
}
|
||||
|
||||
|
||||
@ -2109,7 +2109,7 @@ index ccaf067..240fb80 100644
|
||||
# enable-openssl-hash
|
||||
if ($enable_openssl_hash eq "yes") {
|
||||
if ($use_openssl eq "no") {
|
||||
@@ -3671,6 +3696,7 @@ exit 0;
|
||||
@@ -3665,6 +3690,7 @@ exit 0;
|
||||
# --enable-developer partially supported
|
||||
# --enable-newstats (9.9/9.9sub only)
|
||||
# --enable-native-pkcs11 supported
|
||||
@ -2118,5 +2118,5 @@ index ccaf067..240fb80 100644
|
||||
# --enable-openssl-hash supported
|
||||
# --enable-threads included without a way to disable it
|
||||
--
|
||||
2.20.1
|
||||
2.21.1
|
||||
|
||||
|
@ -1,4 +1,4 @@
|
||||
From 5a465424f5249ceaf0547ab90361a16eb08f7a2b Mon Sep 17 00:00:00 2001
|
||||
From 344c19ad4b3f058e65a4b41650bb0ee20692cc5c Mon Sep 17 00:00:00 2001
|
||||
From: Evan Hunt <each@isc.org>
|
||||
Date: Thu, 28 Sep 2017 10:09:22 -0700
|
||||
Subject: [PATCH] completed and corrected the crypto-random change
|
||||
@ -39,15 +39,15 @@ Subject: [PATCH] completed and corrected the crypto-random change
|
||||
bin/tests/system/tkey/keycreate.c | 4 +-
|
||||
bin/tests/system/tkey/keydelete.c | 5 +--
|
||||
doc/arm/Bv9ARM-book.xml | 55 +++++++++++++++++-------
|
||||
doc/arm/notes-rh-changes.xml | 43 ++++++++++++++++++
|
||||
doc/arm/notes-rh-changes.xml | 42 ++++++++++++++++++
|
||||
doc/arm/notes.xml | 1 +
|
||||
lib/dns/dst_api.c | 4 +-
|
||||
lib/dns/include/dst/dst.h | 14 +++++-
|
||||
lib/dns/openssl_link.c | 3 +-
|
||||
lib/isc/include/isc/entropy.h | 50 +++++++++++++++------
|
||||
lib/isc/include/isc/entropy.h | 48 +++++++++++++++------
|
||||
lib/isc/include/isc/random.h | 28 +++++++-----
|
||||
lib/isccfg/namedconf.c | 2 +-
|
||||
23 files changed, 241 insertions(+), 106 deletions(-)
|
||||
23 files changed, 240 insertions(+), 104 deletions(-)
|
||||
create mode 100644 doc/arm/notes-rh-changes.xml
|
||||
|
||||
diff --git a/bin/confgen/keygen.c b/bin/confgen/keygen.c
|
||||
@ -78,10 +78,10 @@ index 295e16f..0f79aa8 100644
|
||||
&entropy_source,
|
||||
randomfile,
|
||||
diff --git a/bin/dnssec/dnssec-keygen.docbook b/bin/dnssec/dnssec-keygen.docbook
|
||||
index 0ae6b41..4562430 100644
|
||||
index 1826919..96543fc 100644
|
||||
--- a/bin/dnssec/dnssec-keygen.docbook
|
||||
+++ b/bin/dnssec/dnssec-keygen.docbook
|
||||
@@ -348,15 +348,23 @@
|
||||
@@ -349,15 +349,23 @@
|
||||
<term>-r <replaceable class="parameter">randomdev</replaceable></term>
|
||||
<listitem>
|
||||
<para>
|
||||
@ -114,7 +114,7 @@ index 0ae6b41..4562430 100644
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
diff --git a/bin/dnssec/dnssectool.c b/bin/dnssec/dnssectool.c
|
||||
index 31a99e7..38c83ed 100644
|
||||
index 5654435..24c0d5a 100644
|
||||
--- a/bin/dnssec/dnssectool.c
|
||||
+++ b/bin/dnssec/dnssectool.c
|
||||
@@ -241,18 +241,16 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) {
|
||||
@ -142,10 +142,10 @@ index 31a99e7..38c83ed 100644
|
||||
usekeyboard);
|
||||
|
||||
diff --git a/bin/named/client.c b/bin/named/client.c
|
||||
index 50fa2cd..524d9a3 100644
|
||||
index 9a0d3c8..c573177 100644
|
||||
--- a/bin/named/client.c
|
||||
+++ b/bin/named/client.c
|
||||
@@ -1762,7 +1762,8 @@ ns_client_addopt(ns_client_t *client, dns_message_t *message,
|
||||
@@ -1765,7 +1765,8 @@ ns_client_addopt(ns_client_t *client, dns_message_t *message,
|
||||
|
||||
isc_buffer_init(&buf, cookie, sizeof(cookie));
|
||||
isc_stdtime_get(&now);
|
||||
@ -223,7 +223,7 @@ index d955c2f..40621f2 100644
|
||||
} else
|
||||
eresult = ns_control_docommand(request, listener->readonly, &text);
|
||||
diff --git a/bin/named/include/named/server.h b/bin/named/include/named/server.h
|
||||
index 7ee8f66..8982d26 100644
|
||||
index 3f96b7b..c92922e 100644
|
||||
--- a/bin/named/include/named/server.h
|
||||
+++ b/bin/named/include/named/server.h
|
||||
@@ -20,6 +20,7 @@
|
||||
@ -255,7 +255,7 @@ index 9dea7c1..272d300 100644
|
||||
#include <isc/task.h>
|
||||
#include <isc/util.h>
|
||||
diff --git a/bin/named/query.c b/bin/named/query.c
|
||||
index c9e5469..0940714 100644
|
||||
index 203f1e6..25eeced 100644
|
||||
--- a/bin/named/query.c
|
||||
+++ b/bin/named/query.c
|
||||
@@ -19,6 +19,7 @@
|
||||
@ -267,10 +267,10 @@ index c9e5469..0940714 100644
|
||||
#include <isc/serial.h>
|
||||
#include <isc/stats.h>
|
||||
diff --git a/bin/named/server.c b/bin/named/server.c
|
||||
index 36fc047..3c1eec0 100644
|
||||
index f27071f..f132c19 100644
|
||||
--- a/bin/named/server.c
|
||||
+++ b/bin/named/server.c
|
||||
@@ -8208,21 +8208,32 @@ load_configuration(const char *filename, ns_server_t *server,
|
||||
@@ -8210,21 +8210,32 @@ load_configuration(const char *filename, ns_server_t *server,
|
||||
* Open the source of entropy.
|
||||
*/
|
||||
if (first_time) {
|
||||
@ -312,7 +312,7 @@ index 36fc047..3c1eec0 100644
|
||||
#ifdef PATH_RANDOMDEV
|
||||
if (ns_g_fallbackentropy != NULL) {
|
||||
level = ISC_LOG_INFO;
|
||||
@@ -8233,8 +8244,8 @@ load_configuration(const char *filename, ns_server_t *server,
|
||||
@@ -8235,8 +8246,8 @@ load_configuration(const char *filename, ns_server_t *server,
|
||||
NS_LOGCATEGORY_GENERAL,
|
||||
NS_LOGMODULE_SERVER,
|
||||
level,
|
||||
@ -323,7 +323,7 @@ index 36fc047..3c1eec0 100644
|
||||
randomdev,
|
||||
isc_result_totext(result));
|
||||
}
|
||||
@@ -8254,7 +8265,6 @@ load_configuration(const char *filename, ns_server_t *server,
|
||||
@@ -8256,7 +8267,6 @@ load_configuration(const char *filename, ns_server_t *server,
|
||||
}
|
||||
isc_entropy_detach(&ns_g_fallbackentropy);
|
||||
}
|
||||
@ -331,7 +331,7 @@ index 36fc047..3c1eec0 100644
|
||||
#endif
|
||||
}
|
||||
|
||||
@@ -9022,6 +9032,7 @@ ns_server_create(isc_mem_t *mctx, ns_server_t **serverp) {
|
||||
@@ -9025,6 +9035,7 @@ ns_server_create(isc_mem_t *mctx, ns_server_t **serverp) {
|
||||
server->in_roothints = NULL;
|
||||
server->blackholeacl = NULL;
|
||||
server->keepresporder = NULL;
|
||||
@ -339,7 +339,7 @@ index 36fc047..3c1eec0 100644
|
||||
|
||||
/* Must be first. */
|
||||
CHECKFATAL(dst_lib_init2(ns_g_mctx, ns_g_entropy,
|
||||
@@ -9048,6 +9059,9 @@ ns_server_create(isc_mem_t *mctx, ns_server_t **serverp) {
|
||||
@@ -9051,6 +9062,9 @@ ns_server_create(isc_mem_t *mctx, ns_server_t **serverp) {
|
||||
CHECKFATAL(dns_tkeyctx_create(ns_g_mctx, ns_g_entropy,
|
||||
&server->tkeyctx),
|
||||
"creating TKEY context");
|
||||
@ -349,7 +349,7 @@ index 36fc047..3c1eec0 100644
|
||||
|
||||
/*
|
||||
* Setup the server task, which is responsible for coordinating
|
||||
@@ -9254,7 +9268,8 @@ ns_server_destroy(ns_server_t **serverp) {
|
||||
@@ -9257,7 +9271,8 @@ ns_server_destroy(ns_server_t **serverp) {
|
||||
|
||||
if (server->zonemgr != NULL)
|
||||
dns_zonemgr_detach(&server->zonemgr);
|
||||
@ -359,7 +359,7 @@ index 36fc047..3c1eec0 100644
|
||||
if (server->tkeyctx != NULL)
|
||||
dns_tkeyctx_destroy(&server->tkeyctx);
|
||||
|
||||
@@ -13230,10 +13245,10 @@ newzone_cfgctx_destroy(void **cfgp) {
|
||||
@@ -13263,10 +13278,10 @@ newzone_cfgctx_destroy(void **cfgp) {
|
||||
|
||||
static isc_result_t
|
||||
generate_salt(unsigned char *salt, size_t saltlen) {
|
||||
@ -372,7 +372,7 @@ index 36fc047..3c1eec0 100644
|
||||
} rnd;
|
||||
unsigned char text[512 + 1];
|
||||
isc_region_t r;
|
||||
@@ -13243,9 +13258,10 @@ generate_salt(unsigned char *salt, size_t saltlen) {
|
||||
@@ -13276,9 +13291,10 @@ generate_salt(unsigned char *salt, size_t saltlen) {
|
||||
if (saltlen > 256U)
|
||||
return (ISC_R_RANGE);
|
||||
|
||||
@ -455,10 +455,10 @@ index 2146f9b..64b8e74 100644
|
||||
}
|
||||
#endif
|
||||
diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
|
||||
index 33e06e6..539973c 100644
|
||||
index 93c7a08..bb1e81d 100644
|
||||
--- a/doc/arm/Bv9ARM-book.xml
|
||||
+++ b/doc/arm/Bv9ARM-book.xml
|
||||
@@ -5076,22 +5076,45 @@ badresp:1,adberr:0,findfail:0,valfail:0]
|
||||
@@ -5081,22 +5081,45 @@ badresp:1,adberr:0,findfail:0,valfail:0]
|
||||
<term><command>random-device</command></term>
|
||||
<listitem>
|
||||
<para>
|
||||
@ -522,11 +522,10 @@ index 33e06e6..539973c 100644
|
||||
</varlistentry>
|
||||
diff --git a/doc/arm/notes-rh-changes.xml b/doc/arm/notes-rh-changes.xml
|
||||
new file mode 100644
|
||||
index 0000000..11c3a7c
|
||||
index 0000000..89a4961
|
||||
--- /dev/null
|
||||
+++ b/doc/arm/notes-rh-changes.xml
|
||||
@@ -0,0 +1,43 @@
|
||||
+
|
||||
@@ -0,0 +1,42 @@
|
||||
+<!--
|
||||
+ - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
|
||||
+ -
|
||||
@ -570,10 +569,10 @@ index 0000000..11c3a7c
|
||||
+</section>
|
||||
+
|
||||
diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml
|
||||
index b16dab6..763ff7e 100644
|
||||
index 589a347..052a0bd 100644
|
||||
--- a/doc/arm/notes.xml
|
||||
+++ b/doc/arm/notes.xml
|
||||
@@ -36,6 +36,7 @@
|
||||
@@ -40,6 +40,7 @@
|
||||
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="notes-9.11.1.xml"/>
|
||||
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="notes-9.11.0.xml"/>
|
||||
|
||||
@ -582,7 +581,7 @@ index b16dab6..763ff7e 100644
|
||||
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="notes-thankyou.xml"/>
|
||||
</section>
|
||||
diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c
|
||||
index 1614afa..0f52df9 100644
|
||||
index 1eccbe7..1933993 100644
|
||||
--- a/lib/dns/dst_api.c
|
||||
+++ b/lib/dns/dst_api.c
|
||||
@@ -2017,10 +2017,12 @@ dst__entropy_getdata(void *buf, unsigned int len, bool pseudo) {
|
||||
@ -625,7 +624,7 @@ index 6813c96..665574d 100644
|
||||
|
||||
bool
|
||||
diff --git a/lib/dns/openssl_link.c b/lib/dns/openssl_link.c
|
||||
index 6849732..e00a0e4 100644
|
||||
index ffe0a69..5e48686 100644
|
||||
--- a/lib/dns/openssl_link.c
|
||||
+++ b/lib/dns/openssl_link.c
|
||||
@@ -484,7 +484,8 @@ dst__openssl_getengine(const char *engine) {
|
||||
@ -639,19 +638,10 @@ index 6849732..e00a0e4 100644
|
||||
#ifndef DONT_REQUIRE_DST_LIB_INIT
|
||||
INSIST(dst__memory_pool != NULL);
|
||||
diff --git a/lib/isc/include/isc/entropy.h b/lib/isc/include/isc/entropy.h
|
||||
index 632166a..c7cb17d 100644
|
||||
index c40a18c..c7cb17d 100644
|
||||
--- a/lib/isc/include/isc/entropy.h
|
||||
+++ b/lib/isc/include/isc/entropy.h
|
||||
@@ -9,8 +9,6 @@
|
||||
* information regarding copyright ownership.
|
||||
*/
|
||||
|
||||
-/* $Id: entropy.h,v 1.35 2009/10/19 02:37:08 marka Exp $ */
|
||||
-
|
||||
#ifndef ISC_ENTROPY_H
|
||||
#define ISC_ENTROPY_H 1
|
||||
|
||||
@@ -191,9 +189,8 @@ isc_entropy_createcallbacksource(isc_entropy_t *ent,
|
||||
@@ -189,9 +189,8 @@ isc_entropy_createcallbacksource(isc_entropy_t *ent,
|
||||
/*!<
|
||||
* \brief Create an entropy source that is polled via a callback.
|
||||
*
|
||||
@ -663,18 +653,23 @@ index 632166a..c7cb17d 100644
|
||||
*
|
||||
* Samples are added via isc_entropy_addcallbacksample(), below.
|
||||
* _addcallbacksample() is the only function which may be called from
|
||||
@@ -234,15 +231,32 @@ isc_result_t
|
||||
@@ -232,15 +231,32 @@ isc_result_t
|
||||
isc_entropy_getdata(isc_entropy_t *ent, void *data, unsigned int length,
|
||||
unsigned int *returned, unsigned int flags);
|
||||
/*!<
|
||||
- * \brief Extract data from the entropy pool. This may load the pool from various
|
||||
- * sources.
|
||||
+ * \brief Get random data from entropy pool 'ent'.
|
||||
+ *
|
||||
*
|
||||
- * Do this by stirring the pool and returning a part of hash as randomness.
|
||||
- * Note that no secrets are given away here since parts of the hash are
|
||||
- * xored together before returned.
|
||||
+ * If a hook has been set up using isc_entropy_sethook() and
|
||||
+ * isc_entropy_usehook(), then the hook function will be called to get
|
||||
+ * random data.
|
||||
+ *
|
||||
*
|
||||
- * Honor the request from the caller to only return good data, any data,
|
||||
- * etc.
|
||||
+ * Otherwise, randomness is extracted from the entropy pool set up in BIND.
|
||||
+ * This may cause the pool to be loaded from various sources. Ths is done
|
||||
+ * by stirring the pool and returning a part of hash as randomness.
|
||||
@ -685,17 +680,12 @@ index 632166a..c7cb17d 100644
|
||||
+ * ISC_ENTROPY_BLOCKING. These will be honored if the hook function is
|
||||
+ * not in use. If it is, the flags will be passed to the hook function
|
||||
+ * but it may ignore them.
|
||||
*
|
||||
- * Do this by stiring the pool and returning a part of hash as randomness.
|
||||
- * Note that no secrets are given away here since parts of the hash are
|
||||
- * xored together before returned.
|
||||
+ *
|
||||
+ * Up to 'length' bytes of randomness are retrieved and copied into 'data'.
|
||||
+ * (If 'returned' is not NULL, and the number of bytes copied is less than
|
||||
+ * 'length' - which may happen if ISC_ENTROPY_PARTIAL was used - then the
|
||||
+ * number of bytes copied will be stored in *returned.)
|
||||
*
|
||||
- * Honor the request from the caller to only return good data, any data,
|
||||
- * etc.
|
||||
+ *
|
||||
+ * Returns:
|
||||
+ * \li ISC_R_SUCCESS on success
|
||||
+ * \li ISC_R_NOENTROPY if entropy pool is empty
|
||||
@ -703,7 +693,7 @@ index 632166a..c7cb17d 100644
|
||||
*/
|
||||
|
||||
void
|
||||
@@ -307,13 +321,21 @@ isc_entropy_usebestsource(isc_entropy_t *ectx, isc_entropysource_t **source,
|
||||
@@ -305,13 +321,21 @@ isc_entropy_usebestsource(isc_entropy_t *ectx, isc_entropysource_t **source,
|
||||
void
|
||||
isc_entropy_usehook(isc_entropy_t *ectx, bool onoff);
|
||||
/*!<
|
||||
@ -782,7 +772,7 @@ index f8aed34..17c551b 100644
|
||||
|
||||
ISC_LANG_ENDDECLS
|
||||
diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c
|
||||
index 03890a3..7bad989 100644
|
||||
index 1c45d5c..91693b5 100644
|
||||
--- a/lib/isccfg/namedconf.c
|
||||
+++ b/lib/isccfg/namedconf.c
|
||||
@@ -1109,7 +1109,7 @@ options_clauses[] = {
|
||||
@ -795,5 +785,5 @@ index 03890a3..7bad989 100644
|
||||
{ "recursive-clients", &cfg_type_uint32, 0 },
|
||||
{ "reserved-sockets", &cfg_type_uint32, 0 },
|
||||
--
|
||||
2.20.1
|
||||
2.21.1
|
||||
|
||||
|
@ -1,4 +1,4 @@
|
||||
From 2bdcb7159b1ac097355e95864e979b4f68bc1a4e Mon Sep 17 00:00:00 2001
|
||||
From 521fc8dcc0ac064ae8bc521418f5b03f0ceec657 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
|
||||
Date: Thu, 7 Nov 2019 14:31:03 +0100
|
||||
Subject: [PATCH] Implement serve-stale in 9.11
|
||||
@ -257,13 +257,13 @@ Signed-off-by: Petr Menšík <pemensik@redhat.com>
|
||||
lib/dns/master.c | 14 +-
|
||||
lib/dns/masterdump.c | 23 +
|
||||
lib/dns/rbtdb.c | 207 ++++++-
|
||||
lib/dns/resolver.c | 78 ++-
|
||||
lib/dns/resolver.c | 79 ++-
|
||||
lib/dns/sdb.c | 4 +-
|
||||
lib/dns/sdlz.c | 4 +-
|
||||
lib/dns/tests/db_test.c | 198 ++++++-
|
||||
lib/dns/view.c | 3 +
|
||||
lib/isccfg/namedconf.c | 5 +
|
||||
48 files changed, 2121 insertions(+), 102 deletions(-)
|
||||
48 files changed, 2122 insertions(+), 102 deletions(-)
|
||||
create mode 100644 bin/tests/system/serve-stale/.gitignore
|
||||
create mode 100644 bin/tests/system/serve-stale/ans2/ans.pl.in
|
||||
create mode 100644 bin/tests/system/serve-stale/clean.sh
|
||||
@ -389,22 +389,22 @@ index 9661f56..445b578 100644
|
||||
bool root_key_sentinel_is_ta;
|
||||
bool root_key_sentinel_not_ta;
|
||||
diff --git a/bin/named/include/named/server.h b/bin/named/include/named/server.h
|
||||
index 8982d26..919ac28 100644
|
||||
index c92922e..588bf2d 100644
|
||||
--- a/bin/named/include/named/server.h
|
||||
+++ b/bin/named/include/named/server.h
|
||||
@@ -224,7 +224,10 @@ enum {
|
||||
@@ -226,7 +226,10 @@ enum {
|
||||
|
||||
dns_nsstatscounter_tcphighwater = 57,
|
||||
dns_nsstatscounter_reclimitdropped = 58,
|
||||
|
||||
- dns_nsstatscounter_max = 58
|
||||
+ dns_nsstatscounter_trystale = 58,
|
||||
+ dns_nsstatscounter_usedstale = 59,
|
||||
- dns_nsstatscounter_max = 59
|
||||
+ dns_nsstatscounter_trystale = 59,
|
||||
+ dns_nsstatscounter_usedstale = 60,
|
||||
+
|
||||
+ dns_nsstatscounter_max = 60
|
||||
+ dns_nsstatscounter_max = 61
|
||||
};
|
||||
|
||||
/*%
|
||||
@@ -763,4 +766,12 @@ ns_server_mkeys(ns_server_t *server, isc_lex_t *lex, isc_buffer_t **text);
|
||||
@@ -765,4 +768,12 @@ ns_server_mkeys(ns_server_t *server, isc_lex_t *lex, isc_buffer_t **text);
|
||||
isc_result_t
|
||||
ns_server_dnstap(ns_server_t *server, isc_lex_t *lex, isc_buffer_t **text);
|
||||
|
||||
@ -430,7 +430,7 @@ index 3aa25e9..12f178b 100644
|
||||
};
|
||||
|
||||
diff --git a/bin/named/query.c b/bin/named/query.c
|
||||
index 0940714..882d69c 100644
|
||||
index 25eeced..162e4ea 100644
|
||||
--- a/bin/named/query.c
|
||||
+++ b/bin/named/query.c
|
||||
@@ -125,10 +125,14 @@
|
||||
@ -733,10 +733,10 @@ index 0940714..882d69c 100644
|
||||
(!PARTIALANSWER(client) || WANTRECURSION(client)
|
||||
|| eresult == DNS_R_DROP)) {
|
||||
diff --git a/bin/named/server.c b/bin/named/server.c
|
||||
index 0c1f08b..d195bca 100644
|
||||
index 1f23cf0..1fa836f 100644
|
||||
--- a/bin/named/server.c
|
||||
+++ b/bin/named/server.c
|
||||
@@ -1722,7 +1722,8 @@ static bool
|
||||
@@ -1720,7 +1720,8 @@ static bool
|
||||
cache_sharable(dns_view_t *originview, dns_view_t *view,
|
||||
bool new_zero_no_soattl,
|
||||
unsigned int new_cleaning_interval,
|
||||
@ -746,7 +746,7 @@ index 0c1f08b..d195bca 100644
|
||||
{
|
||||
/*
|
||||
* If the cache cannot even reused for the same view, it cannot be
|
||||
@@ -1737,6 +1738,7 @@ cache_sharable(dns_view_t *originview, dns_view_t *view,
|
||||
@@ -1735,6 +1736,7 @@ cache_sharable(dns_view_t *originview, dns_view_t *view,
|
||||
*/
|
||||
if (dns_cache_getcleaninginterval(originview->cache) !=
|
||||
new_cleaning_interval ||
|
||||
@ -754,7 +754,7 @@ index 0c1f08b..d195bca 100644
|
||||
dns_cache_getcachesize(originview->cache) != new_max_cache_size) {
|
||||
return (false);
|
||||
}
|
||||
@@ -3292,6 +3294,7 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
|
||||
@@ -3290,6 +3292,7 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
|
||||
size_t max_acache_size;
|
||||
size_t max_adb_size;
|
||||
uint32_t lame_ttl, fail_ttl;
|
||||
@ -762,7 +762,7 @@ index 0c1f08b..d195bca 100644
|
||||
dns_tsig_keyring_t *ring = NULL;
|
||||
dns_view_t *pview = NULL; /* Production view */
|
||||
isc_mem_t *cmctx = NULL, *hmctx = NULL;
|
||||
@@ -3320,6 +3323,7 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
|
||||
@@ -3318,6 +3321,7 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
|
||||
bool old_rpz_ok = false;
|
||||
isc_dscp_t dscp4 = -1, dscp6 = -1;
|
||||
dns_dyndbctx_t *dctx = NULL;
|
||||
@ -770,7 +770,7 @@ index 0c1f08b..d195bca 100644
|
||||
|
||||
REQUIRE(DNS_VIEW_VALID(view));
|
||||
|
||||
@@ -3734,6 +3738,24 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
|
||||
@@ -3732,6 +3736,24 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
|
||||
if (view->maxncachettl > 7 * 24 * 3600)
|
||||
view->maxncachettl = 7 * 24 * 3600;
|
||||
|
||||
@ -795,7 +795,7 @@ index 0c1f08b..d195bca 100644
|
||||
/*
|
||||
* Configure the view's cache.
|
||||
*
|
||||
@@ -3767,7 +3789,8 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
|
||||
@@ -3765,7 +3787,8 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
|
||||
nsc = cachelist_find(cachelist, cachename, view->rdclass);
|
||||
if (nsc != NULL) {
|
||||
if (!cache_sharable(nsc->primaryview, view, zero_no_soattl,
|
||||
@ -805,7 +805,7 @@ index 0c1f08b..d195bca 100644
|
||||
isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
|
||||
NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
|
||||
"views %s and %s can't share the cache "
|
||||
@@ -3866,9 +3889,15 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
|
||||
@@ -3864,9 +3887,15 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
|
||||
|
||||
dns_cache_setcleaninginterval(cache, cleaning_interval);
|
||||
dns_cache_setcachesize(cache, max_cache_size);
|
||||
@ -821,7 +821,7 @@ index 0c1f08b..d195bca 100644
|
||||
/*
|
||||
* Resolver.
|
||||
*
|
||||
@@ -4057,6 +4086,21 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
|
||||
@@ -4055,6 +4084,21 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
|
||||
maxbits = 4096;
|
||||
view->maxbits = maxbits;
|
||||
|
||||
@ -843,7 +843,7 @@ index 0c1f08b..d195bca 100644
|
||||
/*
|
||||
* Set supported DNSSEC algorithms.
|
||||
*/
|
||||
@@ -14423,3 +14467,132 @@ ns_server_dnstap(ns_server_t *server, isc_lex_t *lex, isc_buffer_t **text) {
|
||||
@@ -14456,3 +14500,132 @@ ns_server_dnstap(ns_server_t *server, isc_lex_t *lex, isc_buffer_t **text) {
|
||||
return (ISC_R_NOTIMPLEMENTED);
|
||||
#endif
|
||||
}
|
||||
@ -977,13 +977,13 @@ index 0c1f08b..d195bca 100644
|
||||
+ return (result);
|
||||
+}
|
||||
diff --git a/bin/named/statschannel.c b/bin/named/statschannel.c
|
||||
index 4cdf7d6..5b413e7 100644
|
||||
index 4b8d972..8c68737 100644
|
||||
--- a/bin/named/statschannel.c
|
||||
+++ b/bin/named/statschannel.c
|
||||
@@ -297,6 +297,12 @@ init_desc(void) {
|
||||
"QryNXRedirRLookup");
|
||||
SET_NSSTATDESC(badcookie, "sent badcookie response", "QryBADCOOKIE");
|
||||
SET_NSSTATDESC(keytagopt, "Keytag option received", "KeyTagOpt");
|
||||
@@ -300,6 +300,12 @@ init_desc(void) {
|
||||
SET_NSSTATDESC(reclimitdropped,
|
||||
"queries dropped due to recursive client limit",
|
||||
"RecLimitDropped");
|
||||
+ SET_NSSTATDESC(trystale,
|
||||
+ "attempts to use stale cache data after lookup failure",
|
||||
+ "QryTryStale");
|
||||
@ -1007,10 +1007,10 @@ index 8083654..d519983 100644
|
||||
Print a zone's configuration.\n\
|
||||
sign zone [class [view]]\n\
|
||||
diff --git a/bin/rndc/rndc.docbook b/bin/rndc/rndc.docbook
|
||||
index 06b073a..6ae8e5d 100644
|
||||
index e14a17e..eaf32d3 100644
|
||||
--- a/bin/rndc/rndc.docbook
|
||||
+++ b/bin/rndc/rndc.docbook
|
||||
@@ -688,6 +688,25 @@
|
||||
@@ -689,6 +689,25 @@
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -1052,10 +1052,10 @@ index f3f1939..9ff3f07 100644
|
||||
+ exit 1
|
||||
+fi
|
||||
diff --git a/bin/tests/system/conf.sh.in b/bin/tests/system/conf.sh.in
|
||||
index f781966..d20a830 100644
|
||||
index 22749b9..a247fd5 100644
|
||||
--- a/bin/tests/system/conf.sh.in
|
||||
+++ b/bin/tests/system/conf.sh.in
|
||||
@@ -125,7 +125,7 @@ PARALLELDIRS="dnssec rpzrecurse \
|
||||
@@ -128,7 +128,7 @@ PARALLELDIRS="dnssec rpzrecurse \
|
||||
reclimit redirect resolver rndc rootkeysentinel rpz \
|
||||
rrchecker rrl rrsetorder rsabigexponent runtime \
|
||||
sfcache smartsign sortlist \
|
||||
@ -2039,10 +2039,10 @@ index 0000000..201c996
|
||||
+echo "I:exit status: $status"
|
||||
+[ $status -eq 0 ] || exit 1
|
||||
diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
|
||||
index 539973c..8528649 100644
|
||||
index bb1e81d..6dbbfad 100644
|
||||
--- a/doc/arm/Bv9ARM-book.xml
|
||||
+++ b/doc/arm/Bv9ARM-book.xml
|
||||
@@ -4376,6 +4376,9 @@ badresp:1,adberr:0,findfail:0,valfail:0]
|
||||
@@ -4381,6 +4381,9 @@ badresp:1,adberr:0,findfail:0,valfail:0]
|
||||
statement in the <filename>named.conf</filename> file:
|
||||
</para>
|
||||
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="options.grammar.xml"/>
|
||||
@ -2052,7 +2052,7 @@ index 539973c..8528649 100644
|
||||
</section>
|
||||
|
||||
<section xml:id="options"><info><title><command>options</command> Statement Definition and
|
||||
@@ -4469,6 +4472,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
|
||||
@@ -4474,6 +4477,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
|
||||
<command>dnssec-validation</command>,
|
||||
<command>max-cache-ttl</command>,
|
||||
<command>max-ncache-ttl</command>,
|
||||
@ -2060,7 +2060,7 @@ index 539973c..8528649 100644
|
||||
<command>max-cache-size</command>, and
|
||||
<command>zero-no-soa-ttl</command>.
|
||||
</para>
|
||||
@@ -5480,7 +5484,6 @@ options {
|
||||
@@ -5485,7 +5489,6 @@ options {
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -2068,7 +2068,7 @@ index 539973c..8528649 100644
|
||||
<varlistentry>
|
||||
<term><command>max-zone-ttl</command></term>
|
||||
<listitem>
|
||||
@@ -5516,6 +5519,21 @@ options {
|
||||
@@ -5521,6 +5524,21 @@ options {
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -2090,7 +2090,7 @@ index 539973c..8528649 100644
|
||||
<varlistentry>
|
||||
<term><command>serial-update-method</command></term>
|
||||
<listitem>
|
||||
@@ -6275,6 +6293,22 @@ options {
|
||||
@@ -6280,6 +6298,22 @@ options {
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -2113,7 +2113,7 @@ index 539973c..8528649 100644
|
||||
<varlistentry>
|
||||
<term><command>nocookie-udp-size</command></term>
|
||||
<listitem>
|
||||
@@ -7483,14 +7517,20 @@ options {
|
||||
@@ -7501,14 +7535,20 @@ options {
|
||||
<term><command>resolver-query-timeout</command></term>
|
||||
<listitem>
|
||||
<para>
|
||||
@ -2137,7 +2137,7 @@ index 539973c..8528649 100644
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
@@ -8976,6 +9016,27 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
|
||||
@@ -8994,6 +9034,27 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -2188,10 +2188,10 @@ index 181def7..59f6afb 100644
|
||||
<entry colname="1">
|
||||
<para><command>spill</command></para>
|
||||
diff --git a/doc/arm/notes-rh-changes.xml b/doc/arm/notes-rh-changes.xml
|
||||
index 11c3a7c..ba3c2cc 100644
|
||||
index 89a4961..80b7dee 100644
|
||||
--- a/doc/arm/notes-rh-changes.xml
|
||||
+++ b/doc/arm/notes-rh-changes.xml
|
||||
@@ -13,6 +13,9 @@
|
||||
@@ -12,6 +12,9 @@
|
||||
<section xml:id="relnotes_rh_changes"><info><title>Red Hat Specific Changes</title></info>
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
@ -2201,7 +2201,7 @@ index 11c3a7c..ba3c2cc 100644
|
||||
<para>
|
||||
By default, BIND now uses the random number generation functions
|
||||
in the cryptographic library (i.e., OpenSSL or a PKCS#11
|
||||
@@ -37,7 +40,16 @@
|
||||
@@ -36,7 +39,16 @@
|
||||
case <filename>/dev/random</filename> will be the default
|
||||
entropy source. [RT #31459] [RT #46047]
|
||||
</para>
|
||||
@ -2278,7 +2278,7 @@ index e11beed..fde93c7 100644
|
||||
topology { <address_match_element>; ... }; // not implemented
|
||||
transfer-format ( many-answers | one-answer );
|
||||
diff --git a/lib/bind9/check.c b/lib/bind9/check.c
|
||||
index 5c057a4..7b82618 100644
|
||||
index eaac5ba..a89d78f 100644
|
||||
--- a/lib/bind9/check.c
|
||||
+++ b/lib/bind9/check.c
|
||||
@@ -99,7 +99,8 @@ check_orderent(const cfg_obj_t *ent, isc_log_t *logctx) {
|
||||
@ -2379,7 +2379,7 @@ index 5c057a4..7b82618 100644
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -1267,7 +1276,8 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx,
|
||||
@@ -1271,7 +1280,8 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx,
|
||||
cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
|
||||
"auto-dnssec may only be activated at the "
|
||||
"zone level");
|
||||
@ -2389,7 +2389,7 @@ index 5c057a4..7b82618 100644
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1287,7 +1297,7 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx,
|
||||
@@ -1291,7 +1301,7 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx,
|
||||
{
|
||||
obj = cfg_listelt_value(element);
|
||||
tresult = mustbesecure(obj, symtab, logctx, mctx);
|
||||
@ -2398,7 +2398,7 @@ index 5c057a4..7b82618 100644
|
||||
result = tresult;
|
||||
}
|
||||
if (symtab != NULL)
|
||||
@@ -1306,7 +1316,8 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx,
|
||||
@@ -1310,7 +1320,8 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx,
|
||||
cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
|
||||
"%s: invalid name '%s'",
|
||||
server_contact[i], str);
|
||||
@ -2408,7 +2408,7 @@ index 5c057a4..7b82618 100644
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -1326,7 +1337,8 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx,
|
||||
@@ -1330,7 +1341,8 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx,
|
||||
cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
|
||||
"disable-empty-zone: invalid name '%s'",
|
||||
str);
|
||||
@ -2418,7 +2418,7 @@ index 5c057a4..7b82618 100644
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1340,11 +1352,12 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx,
|
||||
@@ -1344,11 +1356,12 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx,
|
||||
strlen(cfg_obj_asstring(obj)) > 1024U) {
|
||||
cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
|
||||
"'server-id' too big (>1024 bytes)");
|
||||
@ -2433,7 +2433,7 @@ index 5c057a4..7b82618 100644
|
||||
result = tresult;
|
||||
|
||||
obj = NULL;
|
||||
@@ -1354,11 +1367,13 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx,
|
||||
@@ -1358,11 +1371,13 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx,
|
||||
if (lifetime > 604800) { /* 7 days */
|
||||
cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
|
||||
"'nta-lifetime' cannot exceed one week");
|
||||
@ -2449,7 +2449,7 @@ index 5c057a4..7b82618 100644
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1369,7 +1384,8 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx,
|
||||
@@ -1373,7 +1388,8 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx,
|
||||
if (recheck > 604800) { /* 7 days */
|
||||
cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
|
||||
"'nta-recheck' cannot exceed one week");
|
||||
@ -2459,7 +2459,7 @@ index 5c057a4..7b82618 100644
|
||||
}
|
||||
|
||||
if (recheck > lifetime)
|
||||
@@ -1387,7 +1403,8 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx,
|
||||
@@ -1391,7 +1407,8 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx,
|
||||
if (strcasecmp(ccalg, "aes") == 0) {
|
||||
cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
|
||||
"cookie-algorithm: '%s' not supported", ccalg);
|
||||
@ -2469,7 +2469,7 @@ index 5c057a4..7b82618 100644
|
||||
}
|
||||
#endif
|
||||
|
||||
@@ -1476,7 +1493,8 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx,
|
||||
@@ -1480,7 +1497,8 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx,
|
||||
cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
|
||||
"%s out of range (%u < %u)",
|
||||
fstrm[i].name, value, fstrm[i].min);
|
||||
@ -2479,7 +2479,7 @@ index 5c057a4..7b82618 100644
|
||||
}
|
||||
|
||||
if (strcmp(fstrm[i].name, "fstrm-set-input-queue-size") == 0) {
|
||||
@@ -1490,7 +1508,8 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx,
|
||||
@@ -1494,7 +1512,8 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx,
|
||||
"%s '%u' not a power-of-2",
|
||||
fstrm[i].name,
|
||||
cfg_obj_asuint32(obj));
|
||||
@ -2489,7 +2489,7 @@ index 5c057a4..7b82618 100644
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -1508,7 +1527,8 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx,
|
||||
@@ -1512,7 +1531,8 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx,
|
||||
"%" PRId64 "' "
|
||||
"is too small",
|
||||
mapsize);
|
||||
@ -2499,7 +2499,7 @@ index 5c057a4..7b82618 100644
|
||||
} else if (mapsize > (1ULL << 40)) { /* 1 terabyte */
|
||||
cfg_obj_log(obj, logctx,
|
||||
ISC_LOG_ERROR,
|
||||
@@ -1516,10 +1536,20 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx,
|
||||
@@ -1520,10 +1540,20 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx,
|
||||
"%" PRId64 "' "
|
||||
"is too large",
|
||||
mapsize);
|
||||
@ -2669,10 +2669,10 @@ index 62797db..714b78e 100644
|
||||
dns_cache_flush(dns_cache_t *cache);
|
||||
/*%<
|
||||
diff --git a/lib/dns/include/dns/db.h b/lib/dns/include/dns/db.h
|
||||
index ae6ae36..5079053 100644
|
||||
index 6f0eed0..e3917f2 100644
|
||||
--- a/lib/dns/include/dns/db.h
|
||||
+++ b/lib/dns/include/dns/db.h
|
||||
@@ -197,6 +197,8 @@ typedef struct dns_dbmethods {
|
||||
@@ -195,6 +195,8 @@ typedef struct dns_dbmethods {
|
||||
dns_name_t *name);
|
||||
isc_result_t (*getsize)(dns_db_t *db, dns_dbversion_t *version,
|
||||
uint64_t *records, uint64_t *bytes);
|
||||
@ -2681,7 +2681,7 @@ index ae6ae36..5079053 100644
|
||||
} dns_dbmethods_t;
|
||||
|
||||
typedef isc_result_t
|
||||
@@ -255,6 +257,7 @@ struct dns_dbonupdatelistener {
|
||||
@@ -253,6 +255,7 @@ struct dns_dbonupdatelistener {
|
||||
#define DNS_DBFIND_FORCENSEC3 0x0080
|
||||
#define DNS_DBFIND_ADDITIONALOK 0x0100
|
||||
#define DNS_DBFIND_NOZONECUT 0x0200
|
||||
@ -2689,7 +2689,7 @@ index ae6ae36..5079053 100644
|
||||
/*@}*/
|
||||
|
||||
/*@{*/
|
||||
@@ -1685,6 +1688,38 @@ dns_db_nodefullname(dns_db_t *db, dns_dbnode_t *node, dns_name_t *name);
|
||||
@@ -1683,6 +1686,38 @@ dns_db_nodefullname(dns_db_t *db, dns_dbnode_t *node, dns_name_t *name);
|
||||
* \li 'db' is a valid database
|
||||
* \li 'node' and 'name' are not NULL
|
||||
*/
|
||||
@ -2783,7 +2783,7 @@ index 5295d8e..97071ed 100644
|
||||
/*%
|
||||
* _OMITDNSSEC:
|
||||
diff --git a/lib/dns/include/dns/resolver.h b/lib/dns/include/dns/resolver.h
|
||||
index 6da41b7..7b397cb 100644
|
||||
index 0b66c75..4b4b6bd 100644
|
||||
--- a/lib/dns/include/dns/resolver.h
|
||||
+++ b/lib/dns/include/dns/resolver.h
|
||||
@@ -547,9 +547,12 @@ dns_resolver_getmustbesecure(dns_resolver_t *resolver, dns_name_t *name);
|
||||
@ -2883,7 +2883,7 @@ index c849dec..647ca2a 100644
|
||||
|
||||
#define DNS_VIEW_MAGIC ISC_MAGIC('V','i','e','w')
|
||||
diff --git a/lib/dns/master.c b/lib/dns/master.c
|
||||
index 2a87bca..ac4bb19 100644
|
||||
index 8edd732..8c9f00e 100644
|
||||
--- a/lib/dns/master.c
|
||||
+++ b/lib/dns/master.c
|
||||
@@ -1948,12 +1948,18 @@ load_text(dns_loadctx_t *lctx) {
|
||||
@ -2979,10 +2979,10 @@ index 13d1a3e..873b694 100644
|
||||
RUNTIME_CHECK(result == ISC_R_SUCCESS);
|
||||
isc_buffer_usedregion(&buffer, &r);
|
||||
diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c
|
||||
index 738aa20..5055fcb 100644
|
||||
index 02f2c84..fda991d 100644
|
||||
--- a/lib/dns/rbtdb.c
|
||||
+++ b/lib/dns/rbtdb.c
|
||||
@@ -488,6 +488,7 @@ typedef ISC_LIST(rdatasetheader_t) rdatasetheaderlist_t;
|
||||
@@ -490,6 +490,7 @@ typedef ISC_LIST(rdatasetheader_t) rdatasetheaderlist_t;
|
||||
typedef ISC_LIST(dns_rbtnode_t) rbtnodelist_t;
|
||||
|
||||
#define RDATASET_ATTR_NONEXISTENT 0x0001
|
||||
@ -2990,7 +2990,7 @@ index 738aa20..5055fcb 100644
|
||||
#define RDATASET_ATTR_STALE 0x0002
|
||||
#define RDATASET_ATTR_IGNORE 0x0004
|
||||
#define RDATASET_ATTR_RETAIN 0x0008
|
||||
@@ -500,6 +501,8 @@ typedef ISC_LIST(dns_rbtnode_t) rbtnodelist_t;
|
||||
@@ -502,6 +503,8 @@ typedef ISC_LIST(dns_rbtnode_t) rbtnodelist_t;
|
||||
#define RDATASET_ATTR_CASESET 0x0400
|
||||
#define RDATASET_ATTR_ZEROTTL 0x0800
|
||||
#define RDATASET_ATTR_CASEFULLYLOWER 0x1000
|
||||
@ -2999,7 +2999,7 @@ index 738aa20..5055fcb 100644
|
||||
|
||||
typedef struct acache_cbarg {
|
||||
dns_rdatasetadditional_t type;
|
||||
@@ -550,6 +553,8 @@ struct acachectl {
|
||||
@@ -552,6 +555,8 @@ struct acachectl {
|
||||
(((header)->attributes & RDATASET_ATTR_ZEROTTL) != 0)
|
||||
#define CASEFULLYLOWER(header) \
|
||||
(((header)->attributes & RDATASET_ATTR_CASEFULLYLOWER) != 0)
|
||||
@ -3008,7 +3008,7 @@ index 738aa20..5055fcb 100644
|
||||
|
||||
|
||||
#define ACTIVE(header, now) \
|
||||
@@ -609,6 +614,12 @@ typedef enum {
|
||||
@@ -611,6 +616,12 @@ typedef enum {
|
||||
expire_flush
|
||||
} expire_t;
|
||||
|
||||
@ -3021,7 +3021,7 @@ index 738aa20..5055fcb 100644
|
||||
typedef struct rbtdb_version {
|
||||
/* Not locked */
|
||||
rbtdb_serial_t serial;
|
||||
@@ -676,6 +687,12 @@ struct dns_rbtdb {
|
||||
@@ -678,6 +689,12 @@ struct dns_rbtdb {
|
||||
dns_dbnode_t *soanode;
|
||||
dns_dbnode_t *nsnode;
|
||||
|
||||
@ -3034,7 +3034,7 @@ index 738aa20..5055fcb 100644
|
||||
/*
|
||||
* This is a linked list used to implement the LRU cache. There will
|
||||
* be node_lock_count linked lists here. Nodes in bucket 1 will be
|
||||
@@ -719,6 +736,8 @@ struct dns_rbtdb {
|
||||
@@ -721,6 +738,8 @@ struct dns_rbtdb {
|
||||
#define RBTDB_ATTR_LOADED 0x01
|
||||
#define RBTDB_ATTR_LOADING 0x02
|
||||
|
||||
@ -3043,7 +3043,7 @@ index 738aa20..5055fcb 100644
|
||||
/*%
|
||||
* Search Context
|
||||
*/
|
||||
@@ -1784,15 +1803,15 @@ rollback_node(dns_rbtnode_t *node, rbtdb_serial_t serial) {
|
||||
@@ -1791,15 +1810,15 @@ rollback_node(dns_rbtnode_t *node, rbtdb_serial_t serial) {
|
||||
}
|
||||
|
||||
static inline void
|
||||
@ -3063,7 +3063,7 @@ index 738aa20..5055fcb 100644
|
||||
header->node->dirty = 1;
|
||||
|
||||
/*
|
||||
@@ -1833,8 +1852,8 @@ clean_cache_node(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node) {
|
||||
@@ -1840,8 +1859,8 @@ clean_cache_node(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node) {
|
||||
/*
|
||||
* If current is nonexistent or stale, we can clean it up.
|
||||
*/
|
||||
@ -3074,7 +3074,7 @@ index 738aa20..5055fcb 100644
|
||||
if (top_prev != NULL)
|
||||
top_prev->next = current->next;
|
||||
else
|
||||
@@ -2076,6 +2095,80 @@ delete_node(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node) {
|
||||
@@ -2086,6 +2105,80 @@ delete_node(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node) {
|
||||
}
|
||||
}
|
||||
|
||||
@ -3155,7 +3155,7 @@ index 738aa20..5055fcb 100644
|
||||
/*
|
||||
* Caller must be holding the node lock.
|
||||
*/
|
||||
@@ -3308,6 +3401,12 @@ bind_rdataset(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node,
|
||||
@@ -3313,6 +3406,12 @@ bind_rdataset(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node,
|
||||
rdataset->attributes |= DNS_RDATASETATTR_OPTOUT;
|
||||
if (PREFETCH(header))
|
||||
rdataset->attributes |= DNS_RDATASETATTR_PREFETCH;
|
||||
@ -3168,7 +3168,7 @@ index 738aa20..5055fcb 100644
|
||||
rdataset->private1 = rbtdb;
|
||||
rdataset->private2 = node;
|
||||
raw = (unsigned char *)header + sizeof(*header);
|
||||
@@ -4648,6 +4747,19 @@ check_stale_header(dns_rbtnode_t *node, rdatasetheader_t *header,
|
||||
@@ -4653,6 +4752,19 @@ check_stale_header(dns_rbtnode_t *node, rdatasetheader_t *header,
|
||||
#endif
|
||||
|
||||
if (!ACTIVE(header, search->now)) {
|
||||
@ -3188,7 +3188,7 @@ index 738aa20..5055fcb 100644
|
||||
/*
|
||||
* This rdataset is stale. If no one else is using the
|
||||
* node, we can clean it up right now, otherwise we mark
|
||||
@@ -4687,7 +4799,7 @@ check_stale_header(dns_rbtnode_t *node, rdatasetheader_t *header,
|
||||
@@ -4692,7 +4804,7 @@ check_stale_header(dns_rbtnode_t *node, rdatasetheader_t *header,
|
||||
node->data = header->next;
|
||||
free_rdataset(search->rbtdb, mctx, header);
|
||||
} else {
|
||||
@ -3197,7 +3197,7 @@ index 738aa20..5055fcb 100644
|
||||
*header_prev = header;
|
||||
}
|
||||
} else
|
||||
@@ -5125,7 +5237,7 @@ cache_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
|
||||
@@ -5130,7 +5242,7 @@ cache_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
|
||||
&locktype, lock, &search,
|
||||
&header_prev)) {
|
||||
/* Do nothing. */
|
||||
@ -3206,7 +3206,7 @@ index 738aa20..5055fcb 100644
|
||||
/*
|
||||
* We now know that there is at least one active
|
||||
* non-stale rdataset at this node.
|
||||
@@ -5603,7 +5715,7 @@ expirenode(dns_db_t *db, dns_dbnode_t *node, isc_stdtime_t now) {
|
||||
@@ -5608,7 +5720,7 @@ expirenode(dns_db_t *db, dns_dbnode_t *node, isc_stdtime_t now) {
|
||||
* refcurrent(rbtnode) must be non-zero. This is so
|
||||
* because 'node' is an argument to the function.
|
||||
*/
|
||||
@ -3215,7 +3215,7 @@ index 738aa20..5055fcb 100644
|
||||
if (log)
|
||||
isc_log_write(dns_lctx, category, module,
|
||||
level, "overmem cache: stale %s",
|
||||
@@ -5611,7 +5723,7 @@ expirenode(dns_db_t *db, dns_dbnode_t *node, isc_stdtime_t now) {
|
||||
@@ -5616,7 +5728,7 @@ expirenode(dns_db_t *db, dns_dbnode_t *node, isc_stdtime_t now) {
|
||||
} else if (force_expire) {
|
||||
if (! RETAIN(header)) {
|
||||
set_ttl(rbtdb, header, 0);
|
||||
@ -3224,7 +3224,7 @@ index 738aa20..5055fcb 100644
|
||||
} else if (log) {
|
||||
isc_log_write(dns_lctx, category, module,
|
||||
level, "overmem cache: "
|
||||
@@ -5868,9 +5980,9 @@ cache_findrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
|
||||
@@ -5873,9 +5985,9 @@ cache_findrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
|
||||
* non-zero. This is so because 'node' is an
|
||||
* argument to the function.
|
||||
*/
|
||||
@ -3236,7 +3236,7 @@ index 738aa20..5055fcb 100644
|
||||
if (header->type == matchtype)
|
||||
found = header;
|
||||
else if (header->type == RBTDB_RDATATYPE_NCACHEANY ||
|
||||
@@ -6160,7 +6272,7 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
|
||||
@@ -6167,7 +6279,7 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
|
||||
topheader = topheader->next)
|
||||
{
|
||||
set_ttl(rbtdb, topheader, 0);
|
||||
@ -3245,7 +3245,7 @@ index 738aa20..5055fcb 100644
|
||||
}
|
||||
goto find_header;
|
||||
}
|
||||
@@ -6218,7 +6330,7 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
|
||||
@@ -6225,7 +6337,7 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
|
||||
* ncache entry.
|
||||
*/
|
||||
set_ttl(rbtdb, topheader, 0);
|
||||
@ -3254,7 +3254,7 @@ index 738aa20..5055fcb 100644
|
||||
topheader = NULL;
|
||||
goto find_header;
|
||||
}
|
||||
@@ -6256,8 +6368,11 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
|
||||
@@ -6263,8 +6375,11 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
|
||||
}
|
||||
|
||||
/*
|
||||
@ -3268,7 +3268,7 @@ index 738aa20..5055fcb 100644
|
||||
*/
|
||||
if (rbtversion == NULL && trust < header->trust &&
|
||||
(ACTIVE(header, now) || header_nx)) {
|
||||
@@ -6286,6 +6401,10 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
|
||||
@@ -6293,6 +6408,10 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
|
||||
|
||||
if ((options & DNS_DBADD_EXACT) != 0)
|
||||
flags |= DNS_RDATASLAB_EXACT;
|
||||
@ -3279,7 +3279,7 @@ index 738aa20..5055fcb 100644
|
||||
if ((options & DNS_DBADD_EXACTTTL) != 0 &&
|
||||
newheader->rdh_ttl != header->rdh_ttl)
|
||||
result = DNS_R_NOTEXACT;
|
||||
@@ -6329,11 +6448,12 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
|
||||
@@ -6336,11 +6455,12 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
|
||||
}
|
||||
}
|
||||
/*
|
||||
@ -3297,7 +3297,7 @@ index 738aa20..5055fcb 100644
|
||||
*/
|
||||
if (IS_CACHE(rbtdb) && ACTIVE(header, now) &&
|
||||
header->type == dns_rdatatype_ns &&
|
||||
@@ -6508,10 +6628,10 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
|
||||
@@ -6511,10 +6631,10 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
|
||||
changed->dirty = true;
|
||||
if (rbtversion == NULL) {
|
||||
set_ttl(rbtdb, header, 0);
|
||||
@ -3310,7 +3310,7 @@ index 738aa20..5055fcb 100644
|
||||
}
|
||||
}
|
||||
if (rbtversion != NULL && !header_nx) {
|
||||
@@ -8310,6 +8430,30 @@ nodefullname(dns_db_t *db, dns_dbnode_t *node, dns_name_t *name) {
|
||||
@@ -8331,6 +8451,30 @@ nodefullname(dns_db_t *db, dns_dbnode_t *node, dns_name_t *name) {
|
||||
return (result);
|
||||
}
|
||||
|
||||
@ -3341,7 +3341,7 @@ index 738aa20..5055fcb 100644
|
||||
static dns_dbmethods_t zone_methods = {
|
||||
attach,
|
||||
detach,
|
||||
@@ -8355,7 +8499,9 @@ static dns_dbmethods_t zone_methods = {
|
||||
@@ -8376,7 +8520,9 @@ static dns_dbmethods_t zone_methods = {
|
||||
NULL,
|
||||
hashsize,
|
||||
nodefullname,
|
||||
@ -3352,7 +3352,7 @@ index 738aa20..5055fcb 100644
|
||||
};
|
||||
|
||||
static dns_dbmethods_t cache_methods = {
|
||||
@@ -8403,7 +8549,9 @@ static dns_dbmethods_t cache_methods = {
|
||||
@@ -8424,7 +8570,9 @@ static dns_dbmethods_t cache_methods = {
|
||||
setcachestats,
|
||||
hashsize,
|
||||
nodefullname,
|
||||
@ -3363,7 +3363,7 @@ index 738aa20..5055fcb 100644
|
||||
};
|
||||
|
||||
isc_result_t
|
||||
@@ -8674,7 +8822,7 @@ dns_rbtdb_create
|
||||
@@ -8695,7 +8843,7 @@ dns_rbtdb_create
|
||||
rbtdb->rpzs = NULL;
|
||||
rbtdb->load_rpzs = NULL;
|
||||
rbtdb->rpz_num = DNS_RPZ_INVALID_NUM;
|
||||
@ -3372,7 +3372,7 @@ index 738aa20..5055fcb 100644
|
||||
/*
|
||||
* Version Initialization.
|
||||
*/
|
||||
@@ -9092,7 +9240,8 @@ rdatasetiter_first(dns_rdatasetiter_t *iterator) {
|
||||
@@ -9113,7 +9261,8 @@ rdatasetiter_first(dns_rdatasetiter_t *iterator) {
|
||||
* rdatasets to work.
|
||||
*/
|
||||
if (NONEXISTENT(header) ||
|
||||
@ -3382,7 +3382,7 @@ index 738aa20..5055fcb 100644
|
||||
header = NULL;
|
||||
break;
|
||||
} else
|
||||
@@ -10280,7 +10429,7 @@ static inline bool
|
||||
@@ -10322,7 +10471,7 @@ static inline bool
|
||||
need_headerupdate(rdatasetheader_t *header, isc_stdtime_t now) {
|
||||
if ((header->attributes &
|
||||
(RDATASET_ATTR_NONEXISTENT |
|
||||
@ -3391,7 +3391,7 @@ index 738aa20..5055fcb 100644
|
||||
RDATASET_ATTR_ZEROTTL)) != 0)
|
||||
return (false);
|
||||
|
||||
@@ -10386,7 +10535,7 @@ expire_header(dns_rbtdb_t *rbtdb, rdatasetheader_t *header,
|
||||
@@ -10428,7 +10577,7 @@ expire_header(dns_rbtdb_t *rbtdb, rdatasetheader_t *header,
|
||||
bool tree_locked, expire_t reason)
|
||||
{
|
||||
set_ttl(rbtdb, header, 0);
|
||||
@ -3401,7 +3401,7 @@ index 738aa20..5055fcb 100644
|
||||
/*
|
||||
* Caller must hold the node (write) lock.
|
||||
diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
|
||||
index 04a58c0..164fc01 100644
|
||||
index 337a2f3..24e14d2 100644
|
||||
--- a/lib/dns/resolver.c
|
||||
+++ b/lib/dns/resolver.c
|
||||
@@ -141,16 +141,17 @@
|
||||
@ -3434,18 +3434,19 @@ index 04a58c0..164fc01 100644
|
||||
#endif
|
||||
|
||||
/* The default maximum number of recursions to follow before giving up. */
|
||||
@@ -496,6 +497,10 @@ struct dns_resolver {
|
||||
unsigned int maxqueries;
|
||||
isc_result_t quotaresp[2];
|
||||
|
||||
+ /* Additions for serve-stale feature. */
|
||||
@@ -515,6 +516,11 @@ struct dns_resolver {
|
||||
dns_fetch_t * primefetch;
|
||||
/* Locked by nlock. */
|
||||
unsigned int nfctx;
|
||||
+
|
||||
+ /* Unlocked. Additions for serve-stale feature. */
|
||||
+ unsigned int retryinterval; /* in milliseconds */
|
||||
+ unsigned int nonbackofftries;
|
||||
+
|
||||
/* Locked by lock. */
|
||||
unsigned int references;
|
||||
bool exiting;
|
||||
@@ -1617,14 +1622,12 @@ fctx_setretryinterval(fetchctx_t *fctx, unsigned int rtt) {
|
||||
};
|
||||
|
||||
#define RES_MAGIC ISC_MAGIC('R', 'e', 's', '!')
|
||||
@@ -1625,14 +1631,12 @@ fctx_setretryinterval(fetchctx_t *fctx, unsigned int rtt) {
|
||||
unsigned int seconds;
|
||||
unsigned int us;
|
||||
|
||||
@ -3464,7 +3465,7 @@ index 04a58c0..164fc01 100644
|
||||
|
||||
/*
|
||||
* Add a fudge factor to the expected rtt based on the current
|
||||
@@ -4481,7 +4484,8 @@ fctx_create(dns_resolver_t *res, dns_name_t *name, dns_rdatatype_t type,
|
||||
@@ -4494,7 +4498,8 @@ fctx_create(dns_resolver_t *res, dns_name_t *name, dns_rdatatype_t type,
|
||||
/*
|
||||
* Compute an expiration time for the entire fetch.
|
||||
*/
|
||||
@ -3474,7 +3475,7 @@ index 04a58c0..164fc01 100644
|
||||
iresult = isc_time_nowplusinterval(&fctx->expires, &interval);
|
||||
if (iresult != ISC_R_SUCCESS) {
|
||||
UNEXPECTED_ERROR(__FILE__, __LINE__,
|
||||
@@ -8965,6 +8969,8 @@ dns_resolver_create(dns_view_t *view,
|
||||
@@ -8983,6 +8988,8 @@ dns_resolver_create(dns_view_t *view,
|
||||
res->spillattimer = NULL;
|
||||
res->zspill = 0;
|
||||
res->zero_no_soa_ttl = false;
|
||||
@ -3483,7 +3484,7 @@ index 04a58c0..164fc01 100644
|
||||
res->query_timeout = DEFAULT_QUERY_TIMEOUT;
|
||||
res->maxdepth = DEFAULT_RECURSION_DEPTH;
|
||||
res->maxqueries = DEFAULT_MAX_QUERIES;
|
||||
@@ -10291,17 +10297,20 @@ dns_resolver_gettimeout(dns_resolver_t *resolver) {
|
||||
@@ -10317,17 +10324,20 @@ dns_resolver_gettimeout(dns_resolver_t *resolver) {
|
||||
}
|
||||
|
||||
void
|
||||
@ -3512,7 +3513,7 @@ index 04a58c0..164fc01 100644
|
||||
}
|
||||
|
||||
void
|
||||
@@ -10398,3 +10407,34 @@ dns_resolver_getquotaresponse(dns_resolver_t *resolver, dns_quotatype_t which)
|
||||
@@ -10424,3 +10434,34 @@ dns_resolver_getquotaresponse(dns_resolver_t *resolver, dns_quotatype_t which)
|
||||
|
||||
return (resolver->quotaresp[which]);
|
||||
}
|
||||
@ -3578,7 +3579,7 @@ index 0b9620c..331992e 100644
|
||||
|
||||
/*
|
||||
diff --git a/lib/dns/tests/db_test.c b/lib/dns/tests/db_test.c
|
||||
index 35cf21d..bf39545 100644
|
||||
index 2849775..812f750 100644
|
||||
--- a/lib/dns/tests/db_test.c
|
||||
+++ b/lib/dns/tests/db_test.c
|
||||
@@ -28,8 +28,9 @@
|
||||
@ -3809,7 +3810,7 @@ index 35cf21d..bf39545 100644
|
||||
_setup, _teardown),
|
||||
cmocka_unit_test_setup_teardown(dbtype_test,
|
||||
diff --git a/lib/dns/view.c b/lib/dns/view.c
|
||||
index a1a4301..abf6a4c 100644
|
||||
index 0fca1d9..55ede81 100644
|
||||
--- a/lib/dns/view.c
|
||||
+++ b/lib/dns/view.c
|
||||
@@ -229,6 +229,9 @@ dns_view_create(isc_mem_t *mctx, dns_rdataclass_t rdclass,
|
||||
@ -3823,7 +3824,7 @@ index a1a4301..abf6a4c 100644
|
||||
view->maxbits = 0;
|
||||
view->v4_aaaa = dns_aaaa_ok;
|
||||
diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c
|
||||
index 7bad989..bbf4b45 100644
|
||||
index 91693b5..5771774 100644
|
||||
--- a/lib/isccfg/namedconf.c
|
||||
+++ b/lib/isccfg/namedconf.c
|
||||
@@ -1778,6 +1778,7 @@ view_clauses[] = {
|
||||
@ -3854,5 +3855,5 @@ index 7bad989..bbf4b45 100644
|
||||
{ "topology", &cfg_type_bracketed_aml, CFG_CLAUSEFLAG_NOTIMP },
|
||||
{ "transfer-format", &cfg_type_transferformat, 0 },
|
||||
--
|
||||
2.20.1
|
||||
2.21.1
|
||||
|
||||
|
@ -1,18 +1,18 @@
|
||||
From 0430b3ac66169eea7a74aaa8bfca50400d3497cf Mon Sep 17 00:00:00 2001
|
||||
From 9683a4d2524b870c4cee09259cb5eb7b8075a507 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
|
||||
Date: Tue, 18 Dec 2018 16:06:26 +0100
|
||||
Subject: [PATCH] Make absolute hostname by dns API instead of strings
|
||||
|
||||
Duplicate all strings in dc_list. Free allocated memory on each record.
|
||||
---
|
||||
bin/sdb_tools/zone2ldap.c | 71 +++++++++++++++++++++++++--------------
|
||||
1 file changed, 45 insertions(+), 26 deletions(-)
|
||||
bin/sdb_tools/zone2ldap.c | 70 +++++++++++++++++++++++++--------------
|
||||
1 file changed, 45 insertions(+), 25 deletions(-)
|
||||
|
||||
diff --git a/bin/sdb_tools/zone2ldap.c b/bin/sdb_tools/zone2ldap.c
|
||||
index 76186b5..28df191 100644
|
||||
index d59936c..9ba73b8 100644
|
||||
--- a/bin/sdb_tools/zone2ldap.c
|
||||
+++ b/bin/sdb_tools/zone2ldap.c
|
||||
@@ -87,6 +87,10 @@ int get_attr_list_size (char **tmp);
|
||||
@@ -84,6 +84,10 @@ int get_attr_list_size (char **tmp);
|
||||
/* Get a DN */
|
||||
char *build_dn_from_dc_list (char **dc_list, unsigned int ttl, int flag, char *zone);
|
||||
|
||||
@ -23,7 +23,7 @@ index 76186b5..28df191 100644
|
||||
/* Add to RR list */
|
||||
void add_to_rr_list (char *dn, char *name, char *type, char *data,
|
||||
unsigned int ttl, unsigned int flags);
|
||||
@@ -123,6 +127,7 @@ static char dNSTTL []="dNSTTL";
|
||||
@@ -120,6 +124,7 @@ static char dNSTTL []="dNSTTL";
|
||||
static char zoneName []="zoneName";
|
||||
static char dc []="dc";
|
||||
static char sameZone []="@";
|
||||
@ -31,7 +31,7 @@ index 76186b5..28df191 100644
|
||||
/* LDAPMod mod_values: */
|
||||
static char *objectClasses []= { &(topClass[0]), &(dNSZoneClass[0]), NULL };
|
||||
static char *topObjectClasses []= { &(topClass[0]), &(dcObjectClass[0]), &(dNSZoneClass[0]), NULL };
|
||||
@@ -396,6 +401,8 @@ main (int argc, char **argv)
|
||||
@@ -391,6 +396,8 @@ main (int argc, char **argv)
|
||||
}
|
||||
|
||||
}
|
||||
@ -40,7 +40,7 @@ index 76186b5..28df191 100644
|
||||
}
|
||||
else
|
||||
{
|
||||
@@ -451,12 +458,18 @@ generate_ldap (dns_name_t * dnsname, dns_rdata_t * rdata, unsigned int ttl)
|
||||
@@ -446,12 +453,18 @@ generate_ldap (dns_name_t * dnsname, dns_rdata_t * rdata, unsigned int ttl)
|
||||
char data[2048];
|
||||
char **dc_list;
|
||||
char *dn;
|
||||
@ -59,7 +59,7 @@ index 76186b5..28df191 100644
|
||||
isc_result_check (result, "dns_name_totext");
|
||||
name[isc_buffer_usedlength (&buff)] = 0;
|
||||
|
||||
@@ -478,6 +491,7 @@ generate_ldap (dns_name_t * dnsname, dns_rdata_t * rdata, unsigned int ttl)
|
||||
@@ -473,6 +486,7 @@ generate_ldap (dns_name_t * dnsname, dns_rdata_t * rdata, unsigned int ttl)
|
||||
printf ("Adding %s (%s %s) to run queue list.\n", dn, type, data);
|
||||
|
||||
add_to_rr_list (dn, dc_list[len], (char*)type, (char*)data, ttl, DNS_OBJECT);
|
||||
@ -67,7 +67,7 @@ index 76186b5..28df191 100644
|
||||
}
|
||||
|
||||
|
||||
@@ -538,12 +552,9 @@ add_to_rr_list (char *dn, char *name, char *type,
|
||||
@@ -533,12 +547,9 @@ add_to_rr_list (char *dn, char *name, char *type,
|
||||
if (tmp->attrs == (LDAPMod **) NULL)
|
||||
fatal("calloc");
|
||||
|
||||
@ -83,7 +83,7 @@ index 76186b5..28df191 100644
|
||||
tmp->attrs[0]->mod_op = LDAP_MOD_ADD;
|
||||
tmp->attrs[0]->mod_type = objectClass;
|
||||
|
||||
@@ -559,9 +570,18 @@ add_to_rr_list (char *dn, char *name, char *type,
|
||||
@@ -554,9 +565,18 @@ add_to_rr_list (char *dn, char *name, char *type,
|
||||
return;
|
||||
}
|
||||
|
||||
@ -103,12 +103,11 @@ index 76186b5..28df191 100644
|
||||
|
||||
if (tmp->attrs[1]->mod_values == (char **)NULL)
|
||||
fatal("calloc");
|
||||
@@ -705,25 +725,16 @@ char **
|
||||
hostname_to_dn_list (char *hostname, char *zone, unsigned int flags)
|
||||
@@ -701,24 +721,16 @@ hostname_to_dn_list (char *hostname, char *zone, unsigned int flags)
|
||||
{
|
||||
char *tmp;
|
||||
- int i = 0;
|
||||
+ int i = 0, j = 0;
|
||||
int i = 0;
|
||||
+ int j = 0;
|
||||
char *hname=0L, *last=0L;
|
||||
int hlen=strlen(hostname), zlen=(strlen(zone));
|
||||
|
||||
@ -127,11 +126,11 @@ index 76186b5..28df191 100644
|
||||
{
|
||||
- if( hname == 0 )
|
||||
- hname=strdup(hostname);
|
||||
+ hname=strdup(hostname);
|
||||
last = strdup(sameZone);
|
||||
+ hname= strdup(hostname);
|
||||
last = strdup(sameZone);
|
||||
}else
|
||||
{
|
||||
@@ -731,8 +742,6 @@ hostname_to_dn_list (char *hostname, char *zone, unsigned int flags)
|
||||
{
|
||||
@@ -726,8 +738,6 @@ hostname_to_dn_list (char *hostname, char *zone, unsigned int flags)
|
||||
||( strcmp( hostname + (hlen - zlen), zone ) != 0)
|
||||
)
|
||||
{
|
||||
@ -140,7 +139,7 @@ index 76186b5..28df191 100644
|
||||
hname=(char*)malloc( hlen + zlen + 1);
|
||||
if( *zone == '.' )
|
||||
sprintf(hname, "%s%s", hostname, zone);
|
||||
@@ -740,8 +749,7 @@ hostname_to_dn_list (char *hostname, char *zone, unsigned int flags)
|
||||
@@ -735,8 +745,7 @@ hostname_to_dn_list (char *hostname, char *zone, unsigned int flags)
|
||||
sprintf(hname,"%s",zone);
|
||||
}else
|
||||
{
|
||||
@ -150,7 +149,7 @@ index 76186b5..28df191 100644
|
||||
}
|
||||
last = hname;
|
||||
}
|
||||
@@ -754,18 +762,21 @@ hostname_to_dn_list (char *hostname, char *zone, unsigned int flags)
|
||||
@@ -749,18 +758,21 @@ hostname_to_dn_list (char *hostname, char *zone, unsigned int flags)
|
||||
for (tmp = strrchr (hname, '.'); tmp != (char *) 0;
|
||||
tmp = strrchr (hname, '.'))
|
||||
{
|
||||
@ -167,7 +166,7 @@ index 76186b5..28df191 100644
|
||||
+ dn_buffer[i++] = dot;
|
||||
if( tmp == hname )
|
||||
break;
|
||||
}
|
||||
}
|
||||
}
|
||||
+ for (j=0; j<i; j++)
|
||||
+ {
|
||||
@ -176,7 +175,7 @@ index 76186b5..28df191 100644
|
||||
if( ( last != hname ) && (tmp != hname) )
|
||||
dn_buffer[i++] = hname;
|
||||
dn_buffer[i++] = last;
|
||||
@@ -825,6 +836,14 @@ build_dn_from_dc_list (char **dc_list, unsigned int ttl, int flag, char *zone)
|
||||
@@ -820,6 +832,14 @@ build_dn_from_dc_list (char **dc_list, unsigned int ttl, int flag, char *zone)
|
||||
return dn;
|
||||
}
|
||||
|
||||
@ -192,5 +191,5 @@ index 76186b5..28df191 100644
|
||||
/* Initialize LDAP Conn */
|
||||
void
|
||||
--
|
||||
2.20.1
|
||||
2.21.1
|
||||
|
||||
|
@ -1,222 +0,0 @@
|
||||
From 165181b794e185af8621300e2a68777a04af8358 Mon Sep 17 00:00:00 2001
|
||||
From: Petr Mensik <pemensik@redhat.com>
|
||||
Date: Fri, 15 May 2020 14:55:26 +0200
|
||||
Subject: [PATCH] CVE-2020-8616
|
||||
|
||||
5395. [security] Further limit the number of queries that can be
|
||||
triggered from a request. Root and TLD servers
|
||||
are no longer exempt from max-recursion-queries.
|
||||
Fetches for missing name server address records
|
||||
are limited to 4 for any domain. (CVE-2020-8616)
|
||||
[GL #1388]
|
||||
---
|
||||
lib/dns/adb.c | 33 +++++++++++++----------
|
||||
lib/dns/include/dns/adb.h | 4 +++
|
||||
lib/dns/resolver.c | 55 ++++++++++++++++++++++++++-------------
|
||||
3 files changed, 60 insertions(+), 32 deletions(-)
|
||||
|
||||
diff --git a/lib/dns/adb.c b/lib/dns/adb.c
|
||||
index 3d12221..ec183d0 100644
|
||||
--- a/lib/dns/adb.c
|
||||
+++ b/lib/dns/adb.c
|
||||
@@ -404,14 +404,13 @@ static void log_quota(dns_adbentry_t *entry, const char *fmt, ...)
|
||||
*/
|
||||
#define FIND_WANTEVENT(fn) (((fn)->options & DNS_ADBFIND_WANTEVENT) != 0)
|
||||
#define FIND_WANTEMPTYEVENT(fn) (((fn)->options & DNS_ADBFIND_EMPTYEVENT) != 0)
|
||||
-#define FIND_AVOIDFETCHES(fn) (((fn)->options & DNS_ADBFIND_AVOIDFETCHES) \
|
||||
- != 0)
|
||||
-#define FIND_STARTATZONE(fn) (((fn)->options & DNS_ADBFIND_STARTATZONE) \
|
||||
- != 0)
|
||||
-#define FIND_HINTOK(fn) (((fn)->options & DNS_ADBFIND_HINTOK) != 0)
|
||||
-#define FIND_GLUEOK(fn) (((fn)->options & DNS_ADBFIND_GLUEOK) != 0)
|
||||
-#define FIND_HAS_ADDRS(fn) (!ISC_LIST_EMPTY((fn)->list))
|
||||
-#define FIND_RETURNLAME(fn) (((fn)->options & DNS_ADBFIND_RETURNLAME) != 0)
|
||||
+#define FIND_AVOIDFETCHES(fn) (((fn)->options & DNS_ADBFIND_AVOIDFETCHES) != 0)
|
||||
+#define FIND_STARTATZONE(fn) (((fn)->options & DNS_ADBFIND_STARTATZONE) != 0)
|
||||
+#define FIND_HINTOK(fn) (((fn)->options & DNS_ADBFIND_HINTOK) != 0)
|
||||
+#define FIND_GLUEOK(fn) (((fn)->options & DNS_ADBFIND_GLUEOK) != 0)
|
||||
+#define FIND_HAS_ADDRS(fn) (!ISC_LIST_EMPTY((fn)->list))
|
||||
+#define FIND_RETURNLAME(fn) (((fn)->options & DNS_ADBFIND_RETURNLAME) != 0)
|
||||
+#define FIND_NOFETCH(fn) (((fn)->options & DNS_ADBFIND_NOFETCH) != 0)
|
||||
|
||||
/*
|
||||
* These are currently used on simple unsigned ints, so they are
|
||||
@@ -3155,21 +3154,26 @@ dns_adb_createfind2(dns_adb_t *adb, isc_task_t *task, isc_taskaction_t action,
|
||||
* Listen to negative cache hints, and don't start
|
||||
* another query.
|
||||
*/
|
||||
- if (NCACHE_RESULT(result) || AUTH_NX(result))
|
||||
+ if (NCACHE_RESULT(result) || AUTH_NX(result)) {
|
||||
goto fetch;
|
||||
+ }
|
||||
|
||||
- if (!NAME_FETCH_V6(adbname))
|
||||
+ if (!NAME_FETCH_V6(adbname)) {
|
||||
wanted_fetches |= DNS_ADBFIND_INET6;
|
||||
+ }
|
||||
}
|
||||
|
||||
fetch:
|
||||
if ((WANT_INET(wanted_addresses) && NAME_HAS_V4(adbname)) ||
|
||||
(WANT_INET6(wanted_addresses) && NAME_HAS_V6(adbname)))
|
||||
+ {
|
||||
have_address = true;
|
||||
- else
|
||||
+ } else {
|
||||
have_address = false;
|
||||
- if (wanted_fetches != 0 &&
|
||||
- ! (FIND_AVOIDFETCHES(find) && have_address)) {
|
||||
+ }
|
||||
+ if (wanted_fetches != 0 && !(FIND_AVOIDFETCHES(find) && have_address) &&
|
||||
+ !FIND_NOFETCH(find))
|
||||
+ {
|
||||
/*
|
||||
* We're missing at least one address family. Either the
|
||||
* caller hasn't instructed us to avoid fetches, or we don't
|
||||
@@ -3177,8 +3181,9 @@ dns_adb_createfind2(dns_adb_t *adb, isc_task_t *task, isc_taskaction_t action,
|
||||
* be acceptable so we have to launch fetches.
|
||||
*/
|
||||
|
||||
- if (FIND_STARTATZONE(find))
|
||||
+ if (FIND_STARTATZONE(find)) {
|
||||
start_at_zone = true;
|
||||
+ }
|
||||
|
||||
/*
|
||||
* Start V4.
|
||||
diff --git a/lib/dns/include/dns/adb.h b/lib/dns/include/dns/adb.h
|
||||
index ca35bac..3e27c9e 100644
|
||||
--- a/lib/dns/include/dns/adb.h
|
||||
+++ b/lib/dns/include/dns/adb.h
|
||||
@@ -207,6 +207,10 @@ struct dns_adbfind {
|
||||
* lame for this query.
|
||||
*/
|
||||
#define DNS_ADBFIND_OVERQUOTA 0x00000400
|
||||
+/*%
|
||||
+ * Don't perform a fetch even if there are no address records available.
|
||||
+ */
|
||||
+#define DNS_ADBFIND_NOFETCH 0x00000800
|
||||
|
||||
/*%
|
||||
* The answers to queries come back as a list of these.
|
||||
diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
|
||||
index 164fc01..79ad212 100644
|
||||
--- a/lib/dns/resolver.c
|
||||
+++ b/lib/dns/resolver.c
|
||||
@@ -173,6 +173,14 @@
|
||||
#define DEFAULT_MAX_QUERIES 75
|
||||
#endif
|
||||
|
||||
+/*
|
||||
+ * After NS_FAIL_LIMIT attempts to fetch a name server address,
|
||||
+ * if the number of addresses in the NS RRset exceeds NS_RR_LIMIT,
|
||||
+ * stop trying to fetch, in order to avoid wasting resources.
|
||||
+ */
|
||||
+#define NS_FAIL_LIMIT 4
|
||||
+#define NS_RR_LIMIT 5
|
||||
+
|
||||
/* Number of hash buckets for zone counters */
|
||||
#ifndef RES_DOMAIN_BUCKETS
|
||||
#define RES_DOMAIN_BUCKETS 523
|
||||
@@ -3121,8 +3129,7 @@ sort_finds(dns_adbfindlist_t *findlist, unsigned int bias) {
|
||||
static void
|
||||
findname(fetchctx_t *fctx, dns_name_t *name, in_port_t port,
|
||||
unsigned int options, unsigned int flags, isc_stdtime_t now,
|
||||
- bool *overquota, bool *need_alternate)
|
||||
-{
|
||||
+ bool *overquota, bool *need_alternate, unsigned int *no_addresses) {
|
||||
dns_adbaddrinfo_t *ai;
|
||||
dns_adbfind_t *find;
|
||||
dns_resolver_t *res;
|
||||
@@ -3210,7 +3217,12 @@ findname(fetchctx_t *fctx, dns_name_t *name, in_port_t port,
|
||||
find->result_v6 != DNS_R_NXDOMAIN) ||
|
||||
(res->dispatches6 == NULL &&
|
||||
find->result_v4 != DNS_R_NXDOMAIN)))
|
||||
+ {
|
||||
*need_alternate = true;
|
||||
+ }
|
||||
+ if (no_addresses != NULL) {
|
||||
+ (*no_addresses)++;
|
||||
+ }
|
||||
} else {
|
||||
if ((find->options & DNS_ADBFIND_OVERQUOTA) != 0) {
|
||||
if (overquota != NULL)
|
||||
@@ -3261,6 +3273,7 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) {
|
||||
dns_rdata_ns_t ns;
|
||||
bool need_alternate = false;
|
||||
bool all_spilled = true;
|
||||
+ unsigned int no_addresses = 0;
|
||||
|
||||
FCTXTRACE5("getaddresses", "fctx->depth=", fctx->depth);
|
||||
|
||||
@@ -3428,20 +3441,28 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) {
|
||||
* Extract the name from the NS record.
|
||||
*/
|
||||
result = dns_rdata_tostruct(&rdata, &ns, NULL);
|
||||
- if (result != ISC_R_SUCCESS)
|
||||
+ if (result != ISC_R_SUCCESS) {
|
||||
continue;
|
||||
+ }
|
||||
|
||||
- findname(fctx, &ns.name, 0, stdoptions, 0, now,
|
||||
- &overquota, &need_alternate);
|
||||
+ if (no_addresses > NS_FAIL_LIMIT &&
|
||||
+ dns_rdataset_count(&fctx->nameservers) > NS_RR_LIMIT)
|
||||
+ {
|
||||
+ stdoptions |= DNS_ADBFIND_NOFETCH;
|
||||
+ }
|
||||
+ findname(fctx, &ns.name, 0, stdoptions, 0, now, &overquota,
|
||||
+ &need_alternate, &no_addresses);
|
||||
|
||||
- if (!overquota)
|
||||
+ if (!overquota) {
|
||||
all_spilled = false;
|
||||
+ }
|
||||
|
||||
dns_rdata_reset(&rdata);
|
||||
dns_rdata_freestruct(&ns);
|
||||
}
|
||||
- if (result != ISC_R_NOMORE)
|
||||
+ if (result != ISC_R_NOMORE) {
|
||||
return (result);
|
||||
+ }
|
||||
|
||||
/*
|
||||
* Do we need to use 6 to 4?
|
||||
@@ -3456,7 +3477,7 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) {
|
||||
if (!a->isaddress) {
|
||||
findname(fctx, &a->_u._n.name, a->_u._n.port,
|
||||
stdoptions, FCTX_ADDRINFO_FORWARDER,
|
||||
- now, NULL, NULL);
|
||||
+ now, NULL, NULL, NULL);
|
||||
continue;
|
||||
}
|
||||
if (isc_sockaddr_pf(&a->_u.addr) != family)
|
||||
@@ -3818,16 +3839,14 @@ fctx_try(fetchctx_t *fctx, bool retrying, bool badcache) {
|
||||
}
|
||||
}
|
||||
|
||||
- if (dns_name_countlabels(&fctx->domain) > 2) {
|
||||
- result = isc_counter_increment(fctx->qc);
|
||||
- if (result != ISC_R_SUCCESS) {
|
||||
- isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
|
||||
- DNS_LOGMODULE_RESOLVER, ISC_LOG_DEBUG(3),
|
||||
- "exceeded max queries resolving '%s'",
|
||||
- fctx->info);
|
||||
- fctx_done(fctx, DNS_R_SERVFAIL, __LINE__);
|
||||
- return;
|
||||
- }
|
||||
+ result = isc_counter_increment(fctx->qc);
|
||||
+ if (result != ISC_R_SUCCESS) {
|
||||
+ isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
|
||||
+ DNS_LOGMODULE_RESOLVER, ISC_LOG_DEBUG(3),
|
||||
+ "exceeded max queries resolving '%s'",
|
||||
+ fctx->info);
|
||||
+ fctx_done(fctx, DNS_R_SERVFAIL, __LINE__);
|
||||
+ return;
|
||||
}
|
||||
|
||||
bucketnum = fctx->bucketnum;
|
||||
--
|
||||
2.21.1
|
||||
|
@ -1,40 +0,0 @@
|
||||
From f6ca6392adf7f5a94c804d8a8a1233d90170f490 Mon Sep 17 00:00:00 2001
|
||||
From: Petr Mensik <pemensik@redhat.com>
|
||||
Date: Fri, 15 May 2020 14:56:33 +0200
|
||||
Subject: [PATCH] CVE-2020-8617
|
||||
|
||||
5390. [security] Replaying a TSIG BADTIME response as a request could
|
||||
trigger an assertion failure. (CVE-2020-8617)
|
||||
[GL #1703]
|
||||
---
|
||||
lib/dns/tsig.c | 7 ++++---
|
||||
1 file changed, 4 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/lib/dns/tsig.c b/lib/dns/tsig.c
|
||||
index c6f9d1b..aee8eb0 100644
|
||||
--- a/lib/dns/tsig.c
|
||||
+++ b/lib/dns/tsig.c
|
||||
@@ -1431,8 +1431,9 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
|
||||
goto cleanup_context;
|
||||
}
|
||||
msg->verified_sig = 1;
|
||||
- } else if (tsig.error != dns_tsigerror_badsig &&
|
||||
- tsig.error != dns_tsigerror_badkey) {
|
||||
+ } else if (!response || (tsig.error != dns_tsigerror_badsig &&
|
||||
+ tsig.error != dns_tsigerror_badkey))
|
||||
+ {
|
||||
tsig_log(msg->tsigkey, 2, "signature was empty");
|
||||
return (DNS_R_TSIGVERIFYFAILURE);
|
||||
}
|
||||
@@ -1488,7 +1489,7 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
|
||||
}
|
||||
}
|
||||
|
||||
- if (tsig.error != dns_rcode_noerror) {
|
||||
+ if (response && tsig.error != dns_rcode_noerror) {
|
||||
msg->tsigstatus = tsig.error;
|
||||
if (tsig.error == dns_tsigerror_badtime)
|
||||
ret = DNS_R_CLOCKSKEW;
|
||||
--
|
||||
2.21.1
|
||||
|
@ -1,513 +0,0 @@
|
||||
From bc9a36bad14b014340244bfc35a20df6809a5568 Mon Sep 17 00:00:00 2001
|
||||
From: Miroslav Lichvar <mlichvar@redhat.com>
|
||||
Date: Thu, 27 Feb 2020 15:35:31 +0100
|
||||
Subject: [PATCH] Fix rwlock to be thread-safe
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
This is a backport of the following commits
|
||||
|
||||
commit 4cf275ba8aa1caf47ed763b51c37fa561005cb8d
|
||||
Author: Ondřej Surý <ondrej@isc.org>
|
||||
Date: Wed Feb 12 09:17:55 2020 +0100
|
||||
|
||||
Replace non-loop usage of atomic_compare_exchange_weak with strong variant
|
||||
|
||||
commit b43f5e023885dac9f1ffdace54720150768a333b
|
||||
Author: Ondřej Surý <ondrej@isc.org>
|
||||
Date: Sat Feb 1 10:48:20 2020 +0100
|
||||
|
||||
Convert all atomic operations in isc_rwlock to release-acquire memory ordering
|
||||
|
||||
commit 49462cf9747261cbc39d5fa4c691b64ac5472af4
|
||||
Author: Ondřej Surý <ondrej@sury.org>
|
||||
Date: Tue May 14 00:19:11 2019 +0700
|
||||
|
||||
Make isc_rwlock.c thread-safe
|
||||
|
||||
commit 9d5df99a9d9d13c9487969b6fa3818a8b83b4ee2
|
||||
Author: Ondřej Surý <ondrej@sury.org>
|
||||
Date: Thu Aug 23 15:30:06 2018 +0200
|
||||
|
||||
Directly use return value of atomic_compare_exchange_strong_explicit insteaf of comparing expected value
|
||||
|
||||
commit b5709e5531d9d45f9fc3db129c11ad474477d7b6
|
||||
Author: Ondřej Surý <ondrej@sury.org>
|
||||
Date: Fri Aug 17 19:21:12 2018 +0200
|
||||
|
||||
Explicitly load atomic values in lib/isc/rwlock.c
|
||||
---
|
||||
lib/isc/rwlock.c | 275 ++++++++++++++++++-----------------------------
|
||||
1 file changed, 107 insertions(+), 168 deletions(-)
|
||||
|
||||
diff --git a/lib/isc/rwlock.c b/lib/isc/rwlock.c
|
||||
index 9533c0f828..5591eff719 100644
|
||||
--- a/lib/isc/rwlock.c
|
||||
+++ b/lib/isc/rwlock.c
|
||||
@@ -46,6 +46,26 @@
|
||||
#if defined(ISC_RWLOCK_USEATOMIC)
|
||||
static isc_result_t
|
||||
isc__rwlock_lock(isc_rwlock_t *rwl, isc_rwlocktype_t type);
|
||||
+
|
||||
+#ifndef ISC_RWLOCK_USESTDATOMIC
|
||||
+#error non-stdatomic support removed
|
||||
+#endif
|
||||
+
|
||||
+#define atomic_load_acquire(o) \
|
||||
+ atomic_load_explicit((o), memory_order_acquire)
|
||||
+#define atomic_store_release(o, v) \
|
||||
+ atomic_store_explicit((o), (v), memory_order_release)
|
||||
+#define atomic_fetch_add_release(o, v) \
|
||||
+ atomic_fetch_add_explicit((o), (v), memory_order_release)
|
||||
+#define atomic_fetch_sub_release(o, v) \
|
||||
+ atomic_fetch_sub_explicit((o), (v), memory_order_release)
|
||||
+#define atomic_compare_exchange_weak_acq_rel(o, e, d) \
|
||||
+ atomic_compare_exchange_weak_explicit((o), (e), (d), \
|
||||
+ memory_order_acq_rel, \
|
||||
+ memory_order_acquire)
|
||||
+#define atomic_compare_exchange_strong_acq_rel(o, e, d) \
|
||||
+ atomic_compare_exchange_strong_explicit( \
|
||||
+ (o), (e), (d), memory_order_acq_rel, memory_order_acquire)
|
||||
#endif
|
||||
|
||||
#ifdef ISC_RWLOCK_TRACE
|
||||
@@ -108,13 +128,13 @@ isc_rwlock_init(isc_rwlock_t *rwl, unsigned int read_quota,
|
||||
*/
|
||||
rwl->magic = 0;
|
||||
|
||||
- rwl->spins = 0;
|
||||
#if defined(ISC_RWLOCK_USEATOMIC)
|
||||
- rwl->write_requests = 0;
|
||||
- rwl->write_completions = 0;
|
||||
- rwl->cnt_and_flag = 0;
|
||||
+ atomic_init(&rwl->spins, 0);
|
||||
+ atomic_init(&rwl->write_requests, 0);
|
||||
+ atomic_init(&rwl->write_completions, 0);
|
||||
+ atomic_init(&rwl->cnt_and_flag, 0);
|
||||
rwl->readers_waiting = 0;
|
||||
- rwl->write_granted = 0;
|
||||
+ atomic_init(&rwl->write_granted, 0);
|
||||
if (read_quota != 0) {
|
||||
UNEXPECTED_ERROR(__FILE__, __LINE__,
|
||||
"read quota is not supported");
|
||||
@@ -123,6 +143,7 @@ isc_rwlock_init(isc_rwlock_t *rwl, unsigned int read_quota,
|
||||
write_quota = RWLOCK_DEFAULT_WRITE_QUOTA;
|
||||
rwl->write_quota = write_quota;
|
||||
#else
|
||||
+ rwl->spins = 0;
|
||||
rwl->type = isc_rwlocktype_read;
|
||||
rwl->original = isc_rwlocktype_none;
|
||||
rwl->active = 0;
|
||||
@@ -178,16 +199,9 @@ void
|
||||
isc_rwlock_destroy(isc_rwlock_t *rwl) {
|
||||
REQUIRE(VALID_RWLOCK(rwl));
|
||||
|
||||
-#if defined(ISC_RWLOCK_USEATOMIC)
|
||||
- REQUIRE(rwl->write_requests == rwl->write_completions &&
|
||||
- rwl->cnt_and_flag == 0 && rwl->readers_waiting == 0);
|
||||
-#else
|
||||
- LOCK(&rwl->lock);
|
||||
- REQUIRE(rwl->active == 0 &&
|
||||
- rwl->readers_waiting == 0 &&
|
||||
- rwl->writers_waiting == 0);
|
||||
- UNLOCK(&rwl->lock);
|
||||
-#endif
|
||||
+ REQUIRE(atomic_load_acquire(&rwl->write_requests) ==
|
||||
+ atomic_load_acquire(&rwl->write_completions) &&
|
||||
+ atomic_load_acquire(&rwl->cnt_and_flag) == 0 && rwl->readers_waiting == 0);
|
||||
|
||||
rwl->magic = 0;
|
||||
(void)isc_condition_destroy(&rwl->readable);
|
||||
@@ -274,10 +288,13 @@ isc__rwlock_lock(isc_rwlock_t *rwl, isc_rwlocktype_t type) {
|
||||
#endif
|
||||
|
||||
if (type == isc_rwlocktype_read) {
|
||||
- if (rwl->write_requests != rwl->write_completions) {
|
||||
+ if (atomic_load_acquire(&rwl->write_requests) !=
|
||||
+ atomic_load_acquire(&rwl->write_completions))
|
||||
+ {
|
||||
/* there is a waiting or active writer */
|
||||
LOCK(&rwl->lock);
|
||||
- if (rwl->write_requests != rwl->write_completions) {
|
||||
+ if (atomic_load_acquire(&rwl->write_requests) !=
|
||||
+ atomic_load_acquire(&rwl->write_completions)) {
|
||||
rwl->readers_waiting++;
|
||||
WAIT(&rwl->readable, &rwl->lock);
|
||||
rwl->readers_waiting--;
|
||||
@@ -285,23 +302,24 @@ isc__rwlock_lock(isc_rwlock_t *rwl, isc_rwlocktype_t type) {
|
||||
UNLOCK(&rwl->lock);
|
||||
}
|
||||
|
||||
-#if defined(ISC_RWLOCK_USESTDATOMIC)
|
||||
- cntflag = atomic_fetch_add_explicit(&rwl->cnt_and_flag,
|
||||
- READER_INCR,
|
||||
- memory_order_relaxed);
|
||||
-#else
|
||||
- cntflag = isc_atomic_xadd(&rwl->cnt_and_flag, READER_INCR);
|
||||
-#endif
|
||||
+ cntflag = atomic_fetch_add_release(&rwl->cnt_and_flag,
|
||||
+ READER_INCR);
|
||||
POST(cntflag);
|
||||
while (1) {
|
||||
- if ((rwl->cnt_and_flag & WRITER_ACTIVE) == 0)
|
||||
+ if ((atomic_load_acquire(&rwl->cnt_and_flag)
|
||||
+ & WRITER_ACTIVE) == 0)
|
||||
+ {
|
||||
break;
|
||||
+ }
|
||||
|
||||
/* A writer is still working */
|
||||
LOCK(&rwl->lock);
|
||||
rwl->readers_waiting++;
|
||||
- if ((rwl->cnt_and_flag & WRITER_ACTIVE) != 0)
|
||||
+ if ((atomic_load_acquire(&rwl->cnt_and_flag)
|
||||
+ & WRITER_ACTIVE) != 0)
|
||||
+ {
|
||||
WAIT(&rwl->readable, &rwl->lock);
|
||||
+ }
|
||||
rwl->readers_waiting--;
|
||||
UNLOCK(&rwl->lock);
|
||||
|
||||
@@ -336,20 +354,19 @@ isc__rwlock_lock(isc_rwlock_t *rwl, isc_rwlocktype_t type) {
|
||||
* quota, reset the condition (race among readers doesn't
|
||||
* matter).
|
||||
*/
|
||||
- rwl->write_granted = 0;
|
||||
+ atomic_store_release(&rwl->write_granted, 0);
|
||||
} else {
|
||||
int32_t prev_writer;
|
||||
|
||||
/* enter the waiting queue, and wait for our turn */
|
||||
-#if defined(ISC_RWLOCK_USESTDATOMIC)
|
||||
- prev_writer = atomic_fetch_add_explicit(&rwl->write_requests, 1,
|
||||
- memory_order_relaxed);
|
||||
-#else
|
||||
- prev_writer = isc_atomic_xadd(&rwl->write_requests, 1);
|
||||
-#endif
|
||||
- while (rwl->write_completions != prev_writer) {
|
||||
+ prev_writer = atomic_fetch_add_release(&rwl->write_requests, 1);
|
||||
+ while (atomic_load_acquire(&rwl->write_completions)
|
||||
+ != prev_writer)
|
||||
+ {
|
||||
LOCK(&rwl->lock);
|
||||
- if (rwl->write_completions != prev_writer) {
|
||||
+ if (atomic_load_acquire(&rwl->write_completions)
|
||||
+ != prev_writer)
|
||||
+ {
|
||||
WAIT(&rwl->writeable, &rwl->lock);
|
||||
UNLOCK(&rwl->lock);
|
||||
continue;
|
||||
@@ -359,29 +376,24 @@ isc__rwlock_lock(isc_rwlock_t *rwl, isc_rwlocktype_t type) {
|
||||
}
|
||||
|
||||
while (1) {
|
||||
-#if defined(ISC_RWLOCK_USESTDATOMIC)
|
||||
int_fast32_t cntflag2 = 0;
|
||||
- atomic_compare_exchange_strong_explicit
|
||||
- (&rwl->cnt_and_flag, &cntflag2, WRITER_ACTIVE,
|
||||
- memory_order_relaxed, memory_order_relaxed);
|
||||
-#else
|
||||
- int32_t cntflag2;
|
||||
- cntflag2 = isc_atomic_cmpxchg(&rwl->cnt_and_flag, 0,
|
||||
- WRITER_ACTIVE);
|
||||
-#endif
|
||||
-
|
||||
- if (cntflag2 == 0)
|
||||
+ if (atomic_compare_exchange_weak_acq_rel(
|
||||
+ &rwl->cnt_and_flag, &cntflag2, WRITER_ACTIVE))
|
||||
+ {
|
||||
break;
|
||||
+ }
|
||||
|
||||
/* Another active reader or writer is working. */
|
||||
LOCK(&rwl->lock);
|
||||
- if (rwl->cnt_and_flag != 0)
|
||||
+ if (atomic_load_acquire(&rwl->cnt_and_flag) != 0) {
|
||||
WAIT(&rwl->writeable, &rwl->lock);
|
||||
+ }
|
||||
UNLOCK(&rwl->lock);
|
||||
}
|
||||
|
||||
- INSIST((rwl->cnt_and_flag & WRITER_ACTIVE) != 0);
|
||||
- rwl->write_granted++;
|
||||
+ INSIST((atomic_load_acquire(&rwl->cnt_and_flag)
|
||||
+ & WRITER_ACTIVE));
|
||||
+ atomic_fetch_add_release(&rwl->write_granted, 1);
|
||||
}
|
||||
|
||||
#ifdef ISC_RWLOCK_TRACE
|
||||
@@ -395,12 +407,10 @@ isc__rwlock_lock(isc_rwlock_t *rwl, isc_rwlocktype_t type) {
|
||||
isc_result_t
|
||||
isc_rwlock_lock(isc_rwlock_t *rwl, isc_rwlocktype_t type) {
|
||||
int32_t cnt = 0;
|
||||
- int32_t max_cnt = rwl->spins * 2 + 10;
|
||||
+ int32_t spins = atomic_load_acquire(&rwl->spins) * 2 + 10;
|
||||
+ int32_t max_cnt = ISC_MAX(spins, RWLOCK_MAX_ADAPTIVE_COUNT);
|
||||
isc_result_t result = ISC_R_SUCCESS;
|
||||
|
||||
- if (max_cnt > RWLOCK_MAX_ADAPTIVE_COUNT)
|
||||
- max_cnt = RWLOCK_MAX_ADAPTIVE_COUNT;
|
||||
-
|
||||
do {
|
||||
if (cnt++ >= max_cnt) {
|
||||
result = isc__rwlock_lock(rwl, type);
|
||||
@@ -411,7 +421,7 @@ isc_rwlock_lock(isc_rwlock_t *rwl, isc_rwlocktype_t type) {
|
||||
#endif
|
||||
} while (isc_rwlock_trylock(rwl, type) != ISC_R_SUCCESS);
|
||||
|
||||
- rwl->spins += (cnt - rwl->spins) / 8;
|
||||
+ atomic_fetch_add_release(&rwl->spins, (cnt - spins) / 8);
|
||||
|
||||
return (result);
|
||||
}
|
||||
@@ -429,36 +439,28 @@ isc_rwlock_trylock(isc_rwlock_t *rwl, isc_rwlocktype_t type) {
|
||||
|
||||
if (type == isc_rwlocktype_read) {
|
||||
/* If a writer is waiting or working, we fail. */
|
||||
- if (rwl->write_requests != rwl->write_completions)
|
||||
+ if (atomic_load_acquire(&rwl->write_requests) !=
|
||||
+ atomic_load_acquire(&rwl->write_completions))
|
||||
return (ISC_R_LOCKBUSY);
|
||||
|
||||
/* Otherwise, be ready for reading. */
|
||||
-#if defined(ISC_RWLOCK_USESTDATOMIC)
|
||||
- cntflag = atomic_fetch_add_explicit(&rwl->cnt_and_flag,
|
||||
- READER_INCR,
|
||||
- memory_order_relaxed);
|
||||
-#else
|
||||
- cntflag = isc_atomic_xadd(&rwl->cnt_and_flag, READER_INCR);
|
||||
-#endif
|
||||
+ cntflag = atomic_fetch_add_release(&rwl->cnt_and_flag,
|
||||
+ READER_INCR);
|
||||
if ((cntflag & WRITER_ACTIVE) != 0) {
|
||||
/*
|
||||
* A writer is working. We lose, and cancel the read
|
||||
* request.
|
||||
*/
|
||||
-#if defined(ISC_RWLOCK_USESTDATOMIC)
|
||||
- cntflag = atomic_fetch_sub_explicit
|
||||
- (&rwl->cnt_and_flag, READER_INCR,
|
||||
- memory_order_relaxed);
|
||||
-#else
|
||||
- cntflag = isc_atomic_xadd(&rwl->cnt_and_flag,
|
||||
- -READER_INCR);
|
||||
-#endif
|
||||
+ cntflag = atomic_fetch_sub_release(
|
||||
+ &rwl->cnt_and_flag, READER_INCR);
|
||||
/*
|
||||
* If no other readers are waiting and we've suspended
|
||||
* new writers in this short period, wake them up.
|
||||
*/
|
||||
if (cntflag == READER_INCR &&
|
||||
- rwl->write_completions != rwl->write_requests) {
|
||||
+ atomic_load_acquire(&rwl->write_completions) !=
|
||||
+ atomic_load_acquire(&rwl->write_requests))
|
||||
+ {
|
||||
LOCK(&rwl->lock);
|
||||
BROADCAST(&rwl->writeable);
|
||||
UNLOCK(&rwl->lock);
|
||||
@@ -468,31 +470,19 @@ isc_rwlock_trylock(isc_rwlock_t *rwl, isc_rwlocktype_t type) {
|
||||
}
|
||||
} else {
|
||||
/* Try locking without entering the waiting queue. */
|
||||
-#if defined(ISC_RWLOCK_USESTDATOMIC)
|
||||
int_fast32_t zero = 0;
|
||||
- if (!atomic_compare_exchange_strong_explicit
|
||||
- (&rwl->cnt_and_flag, &zero, WRITER_ACTIVE,
|
||||
- memory_order_relaxed, memory_order_relaxed))
|
||||
+ if (!atomic_compare_exchange_strong_acq_rel(
|
||||
+ &rwl->cnt_and_flag, &zero, WRITER_ACTIVE))
|
||||
+ {
|
||||
return (ISC_R_LOCKBUSY);
|
||||
-#else
|
||||
- cntflag = isc_atomic_cmpxchg(&rwl->cnt_and_flag, 0,
|
||||
- WRITER_ACTIVE);
|
||||
- if (cntflag != 0)
|
||||
- return (ISC_R_LOCKBUSY);
|
||||
-#endif
|
||||
+ }
|
||||
|
||||
/*
|
||||
* XXXJT: jump into the queue, possibly breaking the writer
|
||||
* order.
|
||||
*/
|
||||
-#if defined(ISC_RWLOCK_USESTDATOMIC)
|
||||
- atomic_fetch_sub_explicit(&rwl->write_completions, 1,
|
||||
- memory_order_relaxed);
|
||||
-#else
|
||||
- (void)isc_atomic_xadd(&rwl->write_completions, -1);
|
||||
-#endif
|
||||
-
|
||||
- rwl->write_granted++;
|
||||
+ atomic_fetch_sub_release(&rwl->write_completions, 1);
|
||||
+ atomic_fetch_add_release(&rwl->write_granted, 1);
|
||||
}
|
||||
|
||||
#ifdef ISC_RWLOCK_TRACE
|
||||
@@ -507,14 +497,12 @@ isc_result_t
|
||||
isc_rwlock_tryupgrade(isc_rwlock_t *rwl) {
|
||||
REQUIRE(VALID_RWLOCK(rwl));
|
||||
|
||||
-#if defined(ISC_RWLOCK_USESTDATOMIC)
|
||||
{
|
||||
int_fast32_t reader_incr = READER_INCR;
|
||||
|
||||
/* Try to acquire write access. */
|
||||
- atomic_compare_exchange_strong_explicit
|
||||
- (&rwl->cnt_and_flag, &reader_incr, WRITER_ACTIVE,
|
||||
- memory_order_relaxed, memory_order_relaxed);
|
||||
+ atomic_compare_exchange_strong_acq_rel(
|
||||
+ &rwl->cnt_and_flag, &reader_incr, WRITER_ACTIVE);
|
||||
/*
|
||||
* There must have been no writer, and there must have
|
||||
* been at least one reader.
|
||||
@@ -527,36 +515,11 @@ isc_rwlock_tryupgrade(isc_rwlock_t *rwl) {
|
||||
* We are the only reader and have been upgraded.
|
||||
* Now jump into the head of the writer waiting queue.
|
||||
*/
|
||||
- atomic_fetch_sub_explicit(&rwl->write_completions, 1,
|
||||
- memory_order_relaxed);
|
||||
+ atomic_fetch_sub_release(&rwl->write_completions, 1);
|
||||
} else
|
||||
return (ISC_R_LOCKBUSY);
|
||||
|
||||
}
|
||||
-#else
|
||||
- {
|
||||
- int32_t prevcnt;
|
||||
-
|
||||
- /* Try to acquire write access. */
|
||||
- prevcnt = isc_atomic_cmpxchg(&rwl->cnt_and_flag,
|
||||
- READER_INCR, WRITER_ACTIVE);
|
||||
- /*
|
||||
- * There must have been no writer, and there must have
|
||||
- * been at least one reader.
|
||||
- */
|
||||
- INSIST((prevcnt & WRITER_ACTIVE) == 0 &&
|
||||
- (prevcnt & ~WRITER_ACTIVE) != 0);
|
||||
-
|
||||
- if (prevcnt == READER_INCR) {
|
||||
- /*
|
||||
- * We are the only reader and have been upgraded.
|
||||
- * Now jump into the head of the writer waiting queue.
|
||||
- */
|
||||
- (void)isc_atomic_xadd(&rwl->write_completions, -1);
|
||||
- } else
|
||||
- return (ISC_R_LOCKBUSY);
|
||||
- }
|
||||
-#endif
|
||||
|
||||
return (ISC_R_SUCCESS);
|
||||
}
|
||||
@@ -567,33 +530,15 @@ isc_rwlock_downgrade(isc_rwlock_t *rwl) {
|
||||
|
||||
REQUIRE(VALID_RWLOCK(rwl));
|
||||
|
||||
-#if defined(ISC_RWLOCK_USESTDATOMIC)
|
||||
- {
|
||||
- /* Become an active reader. */
|
||||
- prev_readers = atomic_fetch_add_explicit(&rwl->cnt_and_flag,
|
||||
- READER_INCR,
|
||||
- memory_order_relaxed);
|
||||
- /* We must have been a writer. */
|
||||
- INSIST((prev_readers & WRITER_ACTIVE) != 0);
|
||||
-
|
||||
- /* Complete write */
|
||||
- atomic_fetch_sub_explicit(&rwl->cnt_and_flag, WRITER_ACTIVE,
|
||||
- memory_order_relaxed);
|
||||
- atomic_fetch_add_explicit(&rwl->write_completions, 1,
|
||||
- memory_order_relaxed);
|
||||
- }
|
||||
-#else
|
||||
- {
|
||||
- /* Become an active reader. */
|
||||
- prev_readers = isc_atomic_xadd(&rwl->cnt_and_flag, READER_INCR);
|
||||
- /* We must have been a writer. */
|
||||
- INSIST((prev_readers & WRITER_ACTIVE) != 0);
|
||||
-
|
||||
- /* Complete write */
|
||||
- (void)isc_atomic_xadd(&rwl->cnt_and_flag, -WRITER_ACTIVE);
|
||||
- (void)isc_atomic_xadd(&rwl->write_completions, 1);
|
||||
- }
|
||||
-#endif
|
||||
+ /* Become an active reader. */
|
||||
+ prev_readers = atomic_fetch_add_release(&rwl->cnt_and_flag,
|
||||
+ READER_INCR);
|
||||
+ /* We must have been a writer. */
|
||||
+ INSIST((prev_readers & WRITER_ACTIVE) != 0);
|
||||
+
|
||||
+ /* Complete write */
|
||||
+ atomic_fetch_sub_release(&rwl->cnt_and_flag, WRITER_ACTIVE);
|
||||
+ atomic_fetch_add_release(&rwl->write_completions, 1);
|
||||
|
||||
/* Resume other readers */
|
||||
LOCK(&rwl->lock);
|
||||
@@ -614,20 +559,16 @@ isc_rwlock_unlock(isc_rwlock_t *rwl, isc_rwlocktype_t type) {
|
||||
#endif
|
||||
|
||||
if (type == isc_rwlocktype_read) {
|
||||
-#if defined(ISC_RWLOCK_USESTDATOMIC)
|
||||
- prev_cnt = atomic_fetch_sub_explicit(&rwl->cnt_and_flag,
|
||||
- READER_INCR,
|
||||
- memory_order_relaxed);
|
||||
-#else
|
||||
- prev_cnt = isc_atomic_xadd(&rwl->cnt_and_flag, -READER_INCR);
|
||||
-#endif
|
||||
+ prev_cnt = atomic_fetch_sub_release(&rwl->cnt_and_flag,
|
||||
+ READER_INCR);
|
||||
/*
|
||||
* If we're the last reader and any writers are waiting, wake
|
||||
* them up. We need to wake up all of them to ensure the
|
||||
* FIFO order.
|
||||
*/
|
||||
if (prev_cnt == READER_INCR &&
|
||||
- rwl->write_completions != rwl->write_requests) {
|
||||
+ atomic_load_acquire(&rwl->write_completions) !=
|
||||
+ atomic_load_acquire(&rwl->write_requests)) {
|
||||
LOCK(&rwl->lock);
|
||||
BROADCAST(&rwl->writeable);
|
||||
UNLOCK(&rwl->lock);
|
||||
@@ -639,19 +580,16 @@ isc_rwlock_unlock(isc_rwlock_t *rwl, isc_rwlocktype_t type) {
|
||||
* Reset the flag, and (implicitly) tell other writers
|
||||
* we are done.
|
||||
*/
|
||||
-#if defined(ISC_RWLOCK_USESTDATOMIC)
|
||||
- atomic_fetch_sub_explicit(&rwl->cnt_and_flag, WRITER_ACTIVE,
|
||||
- memory_order_relaxed);
|
||||
- atomic_fetch_add_explicit(&rwl->write_completions, 1,
|
||||
- memory_order_relaxed);
|
||||
-#else
|
||||
- (void)isc_atomic_xadd(&rwl->cnt_and_flag, -WRITER_ACTIVE);
|
||||
- (void)isc_atomic_xadd(&rwl->write_completions, 1);
|
||||
-#endif
|
||||
-
|
||||
- if (rwl->write_granted >= rwl->write_quota ||
|
||||
- rwl->write_requests == rwl->write_completions ||
|
||||
- (rwl->cnt_and_flag & ~WRITER_ACTIVE) != 0) {
|
||||
+ atomic_fetch_sub_release(&rwl->cnt_and_flag, WRITER_ACTIVE);
|
||||
+ atomic_fetch_add_release(&rwl->write_completions, 1);
|
||||
+
|
||||
+ if ((atomic_load_acquire(&rwl->write_granted) >=
|
||||
+ rwl->write_quota) ||
|
||||
+ (atomic_load_acquire(&rwl->write_requests) ==
|
||||
+ atomic_load_acquire(&rwl->write_completions)) ||
|
||||
+ (atomic_load_acquire(&rwl->cnt_and_flag)
|
||||
+ & ~WRITER_ACTIVE))
|
||||
+ {
|
||||
/*
|
||||
* We have passed the write quota, no writer is
|
||||
* waiting, or some readers are almost ready, pending
|
||||
@@ -668,7 +606,8 @@ isc_rwlock_unlock(isc_rwlock_t *rwl, isc_rwlocktype_t type) {
|
||||
UNLOCK(&rwl->lock);
|
||||
}
|
||||
|
||||
- if (rwl->write_requests != rwl->write_completions &&
|
||||
+ if ((atomic_load_acquire(&rwl->write_requests) !=
|
||||
+ atomic_load_acquire(&rwl->write_completions)) &&
|
||||
wakeup_writers) {
|
||||
LOCK(&rwl->lock);
|
||||
BROADCAST(&rwl->writeable);
|
||||
--
|
||||
2.21.0
|
||||
|
@ -1,5 +1,5 @@
|
||||
diff --git a/bin/sdb_tools/Makefile.in b/bin/sdb_tools/Makefile.in
|
||||
index 95ab742..6069f09 100644
|
||||
index 95ab742..5059a17 100644
|
||||
--- a/bin/sdb_tools/Makefile.in
|
||||
+++ b/bin/sdb_tools/Makefile.in
|
||||
@@ -32,11 +32,11 @@ DEPLIBS = ${LWRESDEPLIBS} ${DNSDEPLIBS} ${BIND9DEPLIBS} \
|
||||
@ -7,49 +7,46 @@ index 95ab742..6069f09 100644
|
||||
${ISCCFGLIBS} ${ISCCCLIBS} ${ISCLIBS} ${DBDRIVER_LIBS} @LIBS@
|
||||
|
||||
-TARGETS = zone2ldap@EXEEXT@ zonetodb@EXEEXT@ zone2sqlite@EXEEXT@
|
||||
+TARGETS = zone2ldap@EXEEXT@ ldap2zone@EXEEXT@ zonetodb@EXEEXT@ zone2sqlite@EXEEXT@
|
||||
+TARGETS = zone2ldap@EXEEXT@ zonetodb@EXEEXT@ zone2sqlite@EXEEXT@ ldap2zone@EXEEXT@
|
||||
|
||||
-OBJS = zone2ldap.@O@ zonetodb.@O@ zone2sqlite.@O@
|
||||
+OBJS = zone2ldap.@O@ ldap2zone.@O@ zonetodb.@O@ zone2sqlite.@O@
|
||||
+OBJS = zone2ldap.@O@ zonetodb.@O@ zone2sqlite.@O@ ldap2zone.@O@
|
||||
|
||||
-SRCS = zone2ldap.c zonetodb.c zone2sqlite.c
|
||||
+SRCS = zone2ldap.c ldap2zone.c zonetodb.c zone2sqlite.c
|
||||
+SRCS = zone2ldap.c zonetodb.c zone2sqlite.c ldap2zone.c
|
||||
|
||||
MANPAGES = zone2ldap.1
|
||||
|
||||
@@ -53,6 +53,9 @@ zonetodb@EXEEXT@: zonetodb.@O@ ${DEPLIBS}
|
||||
zone2sqlite@EXEEXT@: zone2sqlite.@O@ ${DEPLIBS}
|
||||
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o $@ zone2sqlite.@O@ -lsqlite3 -lssl ${LIBS}
|
||||
@@ -47,6 +47,9 @@ EXT_CFLAGS =
|
||||
zone2ldap@EXEEXT@: zone2ldap.@O@ ${DEPLIBS}
|
||||
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ zone2ldap.@O@ -lldap -llber ${LIBS}
|
||||
|
||||
+ldap2zone@EXEEXT@: ldap2zone.@O@ ${DEPLIBS}
|
||||
+ ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o $@ ldap2zone.@O@ -lldap -llber ${LIBS}
|
||||
+
|
||||
clean distclean manclean maintainer-clean::
|
||||
rm -f ${TARGETS} ${OBJS}
|
||||
zonetodb@EXEEXT@: zonetodb.@O@ ${DEPLIBS}
|
||||
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ zonetodb.@O@ -lpq ${LIBS}
|
||||
|
||||
@@ -62,6 +65,7 @@ installdirs:
|
||||
|
||||
install:: ${TARGETS} installdirs
|
||||
@@ -64,4 +67,5 @@ install:: ${TARGETS} installdirs
|
||||
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} zone2ldap@EXEEXT@ ${DESTDIR}${sbindir}
|
||||
+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} ldap2zone@EXEEXT@ ${DESTDIR}${sbindir}
|
||||
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} zonetodb@EXEEXT@ ${DESTDIR}${sbindir}
|
||||
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} zone2sqlite@EXEEXT@ ${DESTDIR}${sbindir}
|
||||
+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} ldap2zone@EXEEXT@ ${DESTDIR}${sbindir}
|
||||
${INSTALL_DATA} ${srcdir}/zone2ldap.1 ${DESTDIR}${mandir}/man1/zone2ldap.1
|
||||
diff --git a/bin/sdb_tools/zone2ldap.c b/bin/sdb_tools/zone2ldap.c
|
||||
index aa2c711..76186b5 100644
|
||||
index e0e9207..d59936c 100644
|
||||
--- a/bin/sdb_tools/zone2ldap.c
|
||||
+++ b/bin/sdb_tools/zone2ldap.c
|
||||
@@ -66,6 +66,9 @@ ldap_info;
|
||||
/* usage Info */
|
||||
void usage (void);
|
||||
@@ -73,7 +73,7 @@ void add_ldap_values (ldap_info * ldinfo);
|
||||
void init_ldap_conn (void);
|
||||
|
||||
+/* Check for existence of (and possibly add) containing dNSZone objects */
|
||||
+int lookup_dns_zones( ldap_info *ldinfo);
|
||||
+
|
||||
/* Add to the ldap dit */
|
||||
void add_ldap_values (ldap_info * ldinfo);
|
||||
/* Ldap error checking */
|
||||
-void ldap_result_check (const char *msg, char *dn, int err);
|
||||
+void ldap_result_check (const char *msg, const char *dn, int err);
|
||||
|
||||
@@ -82,7 +85,7 @@ char **hostname_to_dn_list (char *hostname, char *zone, unsigned int flags);
|
||||
/* Put a hostname into a char ** array */
|
||||
char **hostname_to_dn_list (char *hostname, char *zone, unsigned int flags);
|
||||
@@ -82,7 +82,7 @@ char **hostname_to_dn_list (char *hostname, char *zone, unsigned int flags);
|
||||
int get_attr_list_size (char **tmp);
|
||||
|
||||
/* Get a DN */
|
||||
@ -58,7 +55,7 @@ index aa2c711..76186b5 100644
|
||||
|
||||
/* Add to RR list */
|
||||
void add_to_rr_list (char *dn, char *name, char *type, char *data,
|
||||
@@ -104,11 +107,27 @@ void
|
||||
@@ -104,11 +104,26 @@ void
|
||||
init_ldap_conn ();
|
||||
void usage();
|
||||
|
||||
@ -87,11 +84,19 @@ index aa2c711..76186b5 100644
|
||||
+static char *objectClasses []= { &(topClass[0]), &(dNSZoneClass[0]), NULL };
|
||||
+static char *topObjectClasses []= { &(topClass[0]), &(dcObjectClass[0]), &(dNSZoneClass[0]), NULL };
|
||||
+static char *dn_buffer [64]={NULL};
|
||||
+
|
||||
LDAP *conn;
|
||||
unsigned int debug = 0;
|
||||
|
||||
@@ -132,12 +151,12 @@ main (int argc, char **argv)
|
||||
@@ -120,7 +135,7 @@ static void
|
||||
fatal(const char *msg) {
|
||||
perror(msg);
|
||||
if (conn != NULL)
|
||||
- ldap_unbind_s(conn);
|
||||
+ ldap_unbind_ext_s(conn, NULL, NULL);
|
||||
exit(1);
|
||||
}
|
||||
|
||||
@@ -132,12 +147,13 @@ main (int argc, char **argv)
|
||||
isc_result_t result;
|
||||
char *basedn;
|
||||
ldap_info *tmp;
|
||||
@ -102,12 +107,12 @@ index aa2c711..76186b5 100644
|
||||
isc_buffer_t buff;
|
||||
char *zonefile=0L;
|
||||
char fullbasedn[1024];
|
||||
- char *ctmp;
|
||||
+ char *ctmp, *zn, *dcp[2], *znp[2], *rdn[2];
|
||||
char *ctmp;
|
||||
+ char *zn, *dcp[2], *znp[2], *rdn[2];
|
||||
dns_fixedname_t fixedzone, fixedname;
|
||||
dns_rdataset_t rdataset;
|
||||
char **dc_list;
|
||||
@@ -150,7 +169,7 @@ main (int argc, char **argv)
|
||||
@@ -150,7 +166,7 @@ main (int argc, char **argv)
|
||||
extern char *optarg;
|
||||
extern int optind, opterr, optopt;
|
||||
int create_base = 0;
|
||||
@ -116,7 +121,7 @@ index aa2c711..76186b5 100644
|
||||
|
||||
if (argc < 2)
|
||||
{
|
||||
@@ -158,7 +177,7 @@ main (int argc, char **argv)
|
||||
@@ -158,7 +174,7 @@ main (int argc, char **argv)
|
||||
exit (-1);
|
||||
}
|
||||
|
||||
@ -125,7 +130,7 @@ index aa2c711..76186b5 100644
|
||||
{
|
||||
switch (topt)
|
||||
{
|
||||
@@ -181,6 +200,9 @@ main (int argc, char **argv)
|
||||
@@ -181,6 +197,9 @@ main (int argc, char **argv)
|
||||
if (bindpw == NULL)
|
||||
fatal("strdup");
|
||||
break;
|
||||
@ -135,35 +140,27 @@ index aa2c711..76186b5 100644
|
||||
case 'b':
|
||||
ldapbase = strdup (optarg);
|
||||
if (ldapbase == NULL)
|
||||
@@ -300,27 +322,62 @@ main (int argc, char **argv)
|
||||
{
|
||||
if (debug)
|
||||
@@ -302,17 +321,51 @@ main (int argc, char **argv)
|
||||
printf ("Creating base zone DN %s\n", argzone);
|
||||
-
|
||||
+
|
||||
|
||||
dc_list = hostname_to_dn_list (argzone, argzone, DNS_TOP);
|
||||
- basedn = build_dn_from_dc_list (dc_list, 0, NO_SPEC);
|
||||
|
||||
- for (ctmp = &basedn[strlen (basedn)]; ctmp >= &basedn[0]; ctmp--)
|
||||
+ basedn = build_dn_from_dc_list (dc_list, 0, NO_SPEC, argzone);
|
||||
+ if (debug)
|
||||
+ printf ("base DN %s\n", basedn);
|
||||
+
|
||||
|
||||
- for (ctmp = &basedn[strlen (basedn)]; ctmp >= &basedn[0]; ctmp--)
|
||||
+ for (ctmp = &basedn[strlen (basedn)], dcn=0; ctmp >= &basedn[0]; ctmp--)
|
||||
{
|
||||
- if ((*ctmp == ',') || (ctmp == &basedn[0]))
|
||||
+ if ((*ctmp == ',') || (ctmp == &basedn[0]))
|
||||
if ((*ctmp == ',') || (ctmp == &basedn[0]))
|
||||
{
|
||||
+
|
||||
base.mod_op = LDAP_MOD_ADD;
|
||||
- base.mod_type = (char*)"objectClass";
|
||||
- base.mod_values = (char**)topObjectClasses;
|
||||
+ base.mod_type = objectClass;
|
||||
+ base.mod_values = topObjectClasses;
|
||||
base.mod_values = (char**)topObjectClasses;
|
||||
base_attrs[0] = (void*)&base;
|
||||
- base_attrs[1] = NULL;
|
||||
-
|
||||
+
|
||||
+
|
||||
+ dcBase.mod_op = LDAP_MOD_ADD;
|
||||
+ dcBase.mod_type = dc;
|
||||
+ dcp[0]=dc_list[dcn];
|
||||
@ -172,13 +169,13 @@ index aa2c711..76186b5 100644
|
||||
+ base_attrs[1] = (void*)&dcBase;
|
||||
+
|
||||
+ znBase.mod_op = LDAP_MOD_ADD;
|
||||
+ znBase.mod_type = zoneName;
|
||||
+ znBase.mod_type = zoneName;
|
||||
+ for( zdn = dcn, znlen = 0; zdn >= 0; zdn-- )
|
||||
+ znlen += strlen(dc_list[zdn])+1;
|
||||
+ znp[0] = (char*)malloc(znlen+1);
|
||||
+ znp[1] = 0L;
|
||||
+ for( zdn = dcn, zn=znp[0]; zdn >= 0; zdn-- )
|
||||
+ zn+=sprintf(zn,"%s%s",dc_list[zdn],
|
||||
+ for( zdn = dcn, zn=znp[0]; zdn >= 0; zdn-- )
|
||||
+ zn+=sprintf(zn,"%s%s",dc_list[zdn],
|
||||
+ ((zdn > 0) && (*(dc_list[zdn-1])!='.')) ? "." : ""
|
||||
+ );
|
||||
+
|
||||
@ -191,24 +188,15 @@ index aa2c711..76186b5 100644
|
||||
+ rdn[1] = 0L;
|
||||
+ rdnBase.mod_values = rdn;
|
||||
+ base_attrs[3] = (void*)&rdnBase;
|
||||
+
|
||||
+
|
||||
+ dcn++;
|
||||
+
|
||||
+ base.mod_values = topObjectClasses;
|
||||
+ base_attrs[4] = NULL;
|
||||
+
|
||||
+ base_attrs[4] = NULL;
|
||||
|
||||
if (ldapbase)
|
||||
{
|
||||
if (ctmp != &basedn[0])
|
||||
sprintf (fullbasedn, "%s,%s", ctmp + 1, ldapbase);
|
||||
else
|
||||
- sprintf (fullbasedn, "%s,%s", ctmp, ldapbase);
|
||||
-
|
||||
+ sprintf (fullbasedn, "%s,%s", ctmp, ldapbase);
|
||||
}
|
||||
else
|
||||
{
|
||||
@@ -329,8 +386,13 @@ main (int argc, char **argv)
|
||||
@@ -329,6 +382,10 @@ main (int argc, char **argv)
|
||||
else
|
||||
sprintf (fullbasedn, "%s", ctmp);
|
||||
}
|
||||
@ -217,12 +205,9 @@ index aa2c711..76186b5 100644
|
||||
+ printf("Full base dn: %s\n", fullbasedn);
|
||||
+
|
||||
result = ldap_add_s (conn, fullbasedn, base_attrs);
|
||||
ldap_result_check ("intial ldap_add_s", fullbasedn, result);
|
||||
+
|
||||
ldap_result_check ("initial ldap_add_s", fullbasedn, result);
|
||||
}
|
||||
|
||||
}
|
||||
@@ -408,14 +470,14 @@ generate_ldap (dns_name_t * dnsname, dns_rdata_t * rdata, unsigned int ttl)
|
||||
@@ -408,14 +465,14 @@ generate_ldap (dns_name_t * dnsname, dns_rdata_t * rdata, unsigned int ttl)
|
||||
isc_result_check (result, "dns_rdata_totext");
|
||||
data[isc_buffer_usedlength (&buff)] = 0;
|
||||
|
||||
@ -240,7 +225,7 @@ index aa2c711..76186b5 100644
|
||||
}
|
||||
|
||||
|
||||
@@ -455,7 +517,8 @@ add_to_rr_list (char *dn, char *name, char *type,
|
||||
@@ -455,7 +512,8 @@ add_to_rr_list (char *dn, char *name, char *type,
|
||||
int attrlist;
|
||||
char ldap_type_buffer[128];
|
||||
char charttl[64];
|
||||
@ -250,7 +235,7 @@ index aa2c711..76186b5 100644
|
||||
|
||||
if ((tmp = locate_by_dn (dn)) == NULL)
|
||||
{
|
||||
@@ -482,13 +545,13 @@ add_to_rr_list (char *dn, char *name, char *type,
|
||||
@@ -482,10 +540,10 @@ add_to_rr_list (char *dn, char *name, char *type,
|
||||
fatal("malloc");
|
||||
}
|
||||
tmp->attrs[0]->mod_op = LDAP_MOD_ADD;
|
||||
@ -262,12 +247,8 @@ index aa2c711..76186b5 100644
|
||||
+ tmp->attrs[0]->mod_values = objectClasses;
|
||||
else
|
||||
{
|
||||
- tmp->attrs[0]->mod_values = (char**)topObjectClasses;
|
||||
+ tmp->attrs[0]->mod_values =topObjectClasses;
|
||||
tmp->attrs[1] = NULL;
|
||||
tmp->attrcnt = 2;
|
||||
tmp->next = ldap_info_base;
|
||||
@@ -497,7 +560,7 @@ add_to_rr_list (char *dn, char *name, char *type,
|
||||
tmp->attrs[0]->mod_values = (char**)topObjectClasses;
|
||||
@@ -497,7 +555,7 @@ add_to_rr_list (char *dn, char *name, char *type,
|
||||
}
|
||||
|
||||
tmp->attrs[1]->mod_op = LDAP_MOD_ADD;
|
||||
@ -276,7 +257,7 @@ index aa2c711..76186b5 100644
|
||||
tmp->attrs[1]->mod_values = (char **) calloc (sizeof (char *), 2);
|
||||
|
||||
if (tmp->attrs[1]->mod_values == (char **)NULL)
|
||||
@@ -526,7 +589,7 @@ add_to_rr_list (char *dn, char *name, char *type,
|
||||
@@ -526,7 +584,7 @@ add_to_rr_list (char *dn, char *name, char *type,
|
||||
fatal("strdup");
|
||||
|
||||
tmp->attrs[3]->mod_op = LDAP_MOD_ADD;
|
||||
@ -285,16 +266,16 @@ index aa2c711..76186b5 100644
|
||||
tmp->attrs[3]->mod_values = (char **) calloc (sizeof (char *), 2);
|
||||
|
||||
if (tmp->attrs[3]->mod_values == (char **)NULL)
|
||||
@@ -539,14 +602,25 @@ add_to_rr_list (char *dn, char *name, char *type,
|
||||
@@ -539,14 +597,25 @@ add_to_rr_list (char *dn, char *name, char *type,
|
||||
if (tmp->attrs[3]->mod_values[0] == NULL)
|
||||
fatal("strdup");
|
||||
|
||||
+ znlen=strlen(gbl_zone);
|
||||
+ if ( *(gbl_zone + (znlen-1)) == '.' )
|
||||
+ znlen=strlen(gbl_zone);
|
||||
+ if ( gbl_zone[znlen-1] == '.' )
|
||||
+ { /* ldapdb MUST search by relative zone name */
|
||||
+ zn = (char*)malloc(znlen);
|
||||
+ strncpy(zn,gbl_zone,znlen-1);
|
||||
+ *(zn + (znlen-1))='\0';
|
||||
+ memcpy(zn, gbl_zone, znlen-1);
|
||||
+ zn[znlen-1]='\0';
|
||||
+ }else
|
||||
+ {
|
||||
+ zn = gbl_zone;
|
||||
@ -313,7 +294,7 @@ index aa2c711..76186b5 100644
|
||||
tmp->attrs[4]->mod_values[1] = NULL;
|
||||
|
||||
tmp->attrs[5] = NULL;
|
||||
@@ -557,7 +631,7 @@ add_to_rr_list (char *dn, char *name, char *type,
|
||||
@@ -557,7 +626,7 @@ add_to_rr_list (char *dn, char *name, char *type,
|
||||
else
|
||||
{
|
||||
|
||||
@ -322,7 +303,7 @@ index aa2c711..76186b5 100644
|
||||
{
|
||||
sprintf (ldap_type_buffer, "%sRecord", type);
|
||||
if (!strncmp
|
||||
@@ -631,44 +705,70 @@ char **
|
||||
@@ -631,44 +700,70 @@ char **
|
||||
hostname_to_dn_list (char *hostname, char *zone, unsigned int flags)
|
||||
{
|
||||
char *tmp;
|
||||
@ -382,10 +363,10 @@ index aa2c711..76186b5 100644
|
||||
+ {
|
||||
+ if( hname == 0 )
|
||||
+ hname=strdup(hostname);
|
||||
+ last = strdup(sameZone);
|
||||
+ last = strdup(sameZone);
|
||||
+ }else
|
||||
+ {
|
||||
+ if( (hlen < zlen)
|
||||
+ {
|
||||
+ if( (hlen < zlen)
|
||||
+ ||( strcmp( hostname + (hlen - zlen), zone ) != 0)
|
||||
+ )
|
||||
+ {
|
||||
@ -422,7 +403,7 @@ index aa2c711..76186b5 100644
|
||||
+ *tmp = '\0';
|
||||
+ if( tmp == hname )
|
||||
+ break;
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
+ if( ( last != hname ) && (tmp != hname) )
|
||||
+ dn_buffer[i++] = hname;
|
||||
@ -430,7 +411,7 @@ index aa2c711..76186b5 100644
|
||||
dn_buffer[i] = NULL;
|
||||
|
||||
return dn_buffer;
|
||||
@@ -680,24 +780,32 @@ hostname_to_dn_list (char *hostname, char *zone, unsigned int flags)
|
||||
@@ -680,30 +775,38 @@ hostname_to_dn_list (char *hostname, char *zone, unsigned int flags)
|
||||
* exception of "@"/SOA. */
|
||||
|
||||
char *
|
||||
@ -439,19 +420,21 @@ index aa2c711..76186b5 100644
|
||||
{
|
||||
int size;
|
||||
- int x;
|
||||
- static char dn[1024];
|
||||
- char tmp[128];
|
||||
+ int x, znlen;
|
||||
static char dn[1024];
|
||||
char tmp[128];
|
||||
+ static char dn[DNS_NAME_MAXTEXT*3/2];
|
||||
+ char tmp[DNS_NAME_MAXTEXT*3/2];
|
||||
+ char zn[DNS_NAME_MAXTEXT+1];
|
||||
|
||||
bzero (tmp, sizeof (tmp));
|
||||
bzero (dn, sizeof (dn));
|
||||
size = get_attr_list_size (dc_list);
|
||||
+ znlen = strlen(zone);
|
||||
+ if ( *(zone + (znlen-1)) == '.' )
|
||||
+ if ( zone[znlen-1] == '.' )
|
||||
+ { /* ldapdb MUST search by relative zone name */
|
||||
+ memcpy(&(zn[0]),zone,znlen-1);
|
||||
+ *(zn + (znlen-1))='\0';
|
||||
+ zn[znlen-1]='\0';
|
||||
+ zone = zn;
|
||||
+ }
|
||||
for (x = size - 2; x > 0; x--)
|
||||
@ -460,40 +443,47 @@ index aa2c711..76186b5 100644
|
||||
{
|
||||
if (x == (size - 2) && (strncmp (dc_list[x], "@", 1) == 0) && (ttl))
|
||||
- sprintf (tmp, "relativeDomainName=%s + dNSTTL=%u,", dc_list[x], ttl);
|
||||
+ sprintf (tmp, "zoneName=%s + relativeDomainName=%s,", zone, dc_list[x]);
|
||||
+ snprintf (tmp, sizeof(tmp), "zoneName=%s + relativeDomainName=%s,", zone, dc_list[x]);
|
||||
else if (x == (size - 2))
|
||||
- sprintf(tmp, "relativeDomainName=%s,",dc_list[x]);
|
||||
+ sprintf(tmp, "zoneName=%s + relativeDomainName=%s,", zone, dc_list[x]);
|
||||
+ snprintf(tmp, sizeof(tmp), "zoneName=%s + relativeDomainName=%s,", zone, dc_list[x]);
|
||||
else
|
||||
sprintf(tmp,"dc=%s,", dc_list[x]);
|
||||
- sprintf(tmp,"dc=%s,", dc_list[x]);
|
||||
+ snprintf(tmp, sizeof(tmp), "dc=%s,", dc_list[x]);
|
||||
}
|
||||
@@ -723,6 +831,7 @@ void
|
||||
init_ldap_conn ()
|
||||
{
|
||||
int result;
|
||||
+ char ldb_tag[]="LDAP Bind";
|
||||
conn = ldap_open (ldapsystem, LDAP_PORT);
|
||||
if (conn == NULL)
|
||||
else
|
||||
{
|
||||
@@ -732,7 +841,7 @@ init_ldap_conn ()
|
||||
- sprintf(tmp, "dc=%s,", dc_list[x]);
|
||||
+ snprintf(tmp, sizeof(tmp), "dc=%s,", dc_list[x]);
|
||||
}
|
||||
|
||||
|
||||
@@ -732,19 +835,18 @@ init_ldap_conn ()
|
||||
}
|
||||
|
||||
result = ldap_simple_bind_s (conn, binddn, bindpw);
|
||||
- ldap_result_check ("ldap_simple_bind_s", (char*)"LDAP Bind", result);
|
||||
+ ldap_result_check ("ldap_simple_bind_s", ldb_tag , result);
|
||||
+ ldap_result_check ("ldap_simple_bind_s", "LDAP Bind", result);
|
||||
}
|
||||
|
||||
/* Like isc_result_check, only for LDAP */
|
||||
@@ -749,8 +858,6 @@ ldap_result_check (const char *msg, char *dn, int err)
|
||||
void
|
||||
-ldap_result_check (const char *msg, char *dn, int err)
|
||||
+ldap_result_check (const char *msg, const char *dn, int err)
|
||||
{
|
||||
if ((err != LDAP_SUCCESS) && (err != LDAP_ALREADY_EXISTS))
|
||||
{
|
||||
- fprintf(stderr, "Error while adding %s (%s):\n",
|
||||
- dn, msg);
|
||||
- ldap_perror (conn, dn);
|
||||
- ldap_unbind_s (conn);
|
||||
+ fprintf(stderr, "Error while adding %s (%s):\n%s",
|
||||
+ dn, msg, ldap_err2string(err));
|
||||
+ ldap_unbind_ext_s (conn, NULL, NULL);
|
||||
exit (-1);
|
||||
}
|
||||
}
|
||||
|
||||
-
|
||||
-
|
||||
/* For running the ldap_info run queue. */
|
||||
void
|
||||
add_ldap_values (ldap_info * ldinfo)
|
||||
@@ -758,14 +865,14 @@ add_ldap_values (ldap_info * ldinfo)
|
||||
@@ -758,16 +860,15 @@ add_ldap_values (ldap_info * ldinfo)
|
||||
int result;
|
||||
char dnbuffer[1024];
|
||||
|
||||
@ -505,12 +495,14 @@ index aa2c711..76186b5 100644
|
||||
|
||||
result = ldap_add_s (conn, dnbuffer, ldinfo->attrs);
|
||||
- ldap_result_check ("ldap_add_s", dnbuffer, result);
|
||||
-}
|
||||
+ ldap_result_check ("ldap_add_s", dnbuffer, result);
|
||||
+
|
||||
}
|
||||
|
||||
+}
|
||||
|
||||
|
||||
@@ -776,5 +883,5 @@ void
|
||||
|
||||
@@ -776,5 +877,5 @@ void
|
||||
usage ()
|
||||
{
|
||||
fprintf (stderr,
|
||||
|
@ -1,7 +1,8 @@
|
||||
diff -up bind-9.9.4rc2/lib/dns/resolver.c.rh645544 bind-9.9.4rc2/lib/dns/resolver.c
|
||||
--- bind-9.9.4rc2/lib/dns/resolver.c.rh645544 2013-08-19 10:30:52.000000000 +0200
|
||||
+++ bind-9.9.4rc2/lib/dns/resolver.c 2013-09-06 17:58:03.864165823 +0200
|
||||
@@ -1138,7 +1138,7 @@ log_edns(fetchctx_t *fctx) {
|
||||
diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
|
||||
index ecb3ddb..f7f73cd 100644
|
||||
--- a/lib/dns/resolver.c
|
||||
+++ b/lib/dns/resolver.c
|
||||
@@ -1456,7 +1456,7 @@ log_edns(fetchctx_t *fctx) {
|
||||
*/
|
||||
dns_name_format(&fctx->domain, domainbuf, sizeof(domainbuf));
|
||||
isc_log_write(dns_lctx, DNS_LOGCATEGORY_EDNS_DISABLED,
|
||||
@ -10,7 +11,7 @@ diff -up bind-9.9.4rc2/lib/dns/resolver.c.rh645544 bind-9.9.4rc2/lib/dns/resolve
|
||||
"success resolving '%s' (in '%s'?) after %s",
|
||||
fctx->info, domainbuf, fctx->reason);
|
||||
|
||||
@@ -3804,7 +3804,7 @@ log_lame(fetchctx_t *fctx, dns_adbaddrin
|
||||
@@ -4667,7 +4667,7 @@ log_lame(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo) {
|
||||
dns_name_format(&fctx->domain, domainbuf, sizeof(domainbuf));
|
||||
isc_sockaddr_format(&addrinfo->sockaddr, addrbuf, sizeof(addrbuf));
|
||||
isc_log_write(dns_lctx, DNS_LOGCATEGORY_LAME_SERVERS,
|
||||
@ -19,12 +20,12 @@ diff -up bind-9.9.4rc2/lib/dns/resolver.c.rh645544 bind-9.9.4rc2/lib/dns/resolve
|
||||
"lame server resolving '%s' (in '%s'?): %s",
|
||||
namebuf, domainbuf, addrbuf);
|
||||
}
|
||||
@@ -3831,7 +3831,7 @@ log_formerr(fetchctx_t *fctx, const char
|
||||
}
|
||||
@@ -4685,7 +4685,7 @@ log_formerr(fetchctx_t *fctx, const char *format, ...) {
|
||||
isc_sockaddr_format(&fctx->addrinfo->sockaddr, nsbuf, sizeof(nsbuf));
|
||||
|
||||
isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
|
||||
- DNS_LOGMODULE_RESOLVER, ISC_LOG_NOTICE,
|
||||
+ DNS_LOGMODULE_RESOLVER, ISC_LOG_DEBUG(1),
|
||||
"DNS format error from %s resolving %s%s%s: %s",
|
||||
nsbuf, fctx->info, clmsg, clbuf, msgbuf);
|
||||
"DNS format error from %s resolving %s for %s: %s",
|
||||
nsbuf, fctx->info, fctx->clientstr, msgbuf);
|
||||
}
|
||||
|
@ -1,2 +1 @@
|
||||
. 3600 IN DNSKEY 257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0=
|
||||
. 3600 IN DNSKEY 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU=
|
||||
|
161
SPECS/bind.spec
161
SPECS/bind.spec
@ -19,6 +19,7 @@
|
||||
%bcond_with LMDB
|
||||
%bcond_with DLZ
|
||||
%bcond_without EXPORT_LIBS
|
||||
%bcond_without BDB
|
||||
# Legacy GeoIP support
|
||||
%bcond_with GEOIP
|
||||
%if 0%{?fedora} >= 28 || 0%{?rhel} >= 8
|
||||
@ -26,6 +27,7 @@
|
||||
%else
|
||||
%bcond_with UNITTEST
|
||||
%endif
|
||||
%bcond_with TSAN
|
||||
%if 0%{?fedora} >= 28 || 0%{?rhel} >= 8
|
||||
# New MaxMind GeoLite support
|
||||
%bcond_without GEOIP2
|
||||
@ -54,16 +56,16 @@
|
||||
#
|
||||
|
||||
# lib*.so.X versions of selected libraries
|
||||
%global sover_dns 1107
|
||||
%global sover_isc 1104
|
||||
%global sover_dns 1110
|
||||
%global sover_isc 1105
|
||||
%global sover_irs 161
|
||||
%global sover_isccfg 163
|
||||
|
||||
Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) server
|
||||
Name: bind
|
||||
License: MPLv2.0
|
||||
Version: 9.11.13
|
||||
Release: 6%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist}.1
|
||||
Version: 9.11.20
|
||||
Release: 5%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist}
|
||||
Epoch: 32
|
||||
Url: http://www.isc.org/products/BIND/
|
||||
#
|
||||
@ -153,21 +155,19 @@ Patch174:bind-9.11-fips-disable.patch
|
||||
Patch175:bind-9.11-json-c.patch
|
||||
Patch177:bind-9.11-serve-stale.patch
|
||||
Patch178:bind-9.11-dhcp-time-monotonic.patch
|
||||
Patch179:bind-9.11-rh1790879.patch
|
||||
Patch180:bind-9.11.13-rwlock.patch
|
||||
Patch181:bind-9.11.13-CVE-2020-8617.patch
|
||||
Patch182:bind-9.11.13-CVE-2020-8616.patch
|
||||
Patch183:bind-9.11-CVE-2020-8616-test.patch
|
||||
Patch184:bind-9.11-CVE-2020-8617-test.patch
|
||||
Patch185:bind-9.11-rh1865785.patch
|
||||
Patch179:bind-9.11-rh1859454.patch
|
||||
# https://gitlab.isc.org/isc-projects/bind9/commit/ae9af802b5e7169c55cc5ef04dcfbded351c743d
|
||||
Patch180:bind-9.11-CVE-2020-8622.patch
|
||||
# https://gitlab.isc.org/isc-projects/bind9/commit/0660b022fc6130dda2a27d6164fc7decdcabce8d
|
||||
Patch181:bind-9.11-CVE-2020-8623.patch
|
||||
# https://gitlab.isc.org/isc-projects/bind9/commit/8e919cf6e47c4f52612069ac0868f8caa5089e74
|
||||
Patch182:bind-9.11-CVE-2020-8624.patch
|
||||
Patch183:bind-9.11-CVE-2020-8624-test.patch
|
||||
|
||||
# SDB patches
|
||||
Patch11: bind-9.3.2b2-sdbsrc.patch
|
||||
Patch12: bind-9.10-sdb.patch
|
||||
|
||||
# export lib patches
|
||||
Patch135:bind-9.11-export-isc-config.patch
|
||||
|
||||
# needs inpection
|
||||
Patch17: bind-9.3.2b1-fix_sdb_ldap.patch
|
||||
Patch18: bind-9.11-zone2ldap.patch
|
||||
@ -181,6 +181,7 @@ Requires(post): shadow-utils
|
||||
Requires(post): glibc-common
|
||||
Requires(post): grep
|
||||
Requires: bind-libs%{?_isa} = %{epoch}:%{version}-%{release}
|
||||
Requires: bind-libs-lite%{?_isa} = %{epoch}:%{version}-%{release}
|
||||
Obsoletes: bind-config < 30:9.3.2-34.fc6
|
||||
Provides: bind-config = 30:9.3.2-34.fc6
|
||||
Obsoletes: caching-nameserver < 31:9.4.1-7.fc8
|
||||
@ -197,6 +198,8 @@ BuildRequires: python3-ply
|
||||
BuildRequires: findutils sed
|
||||
%if %{with SDB}
|
||||
BuildRequires: openldap-devel, postgresql-devel, sqlite-devel, mariadb-connector-c-devel
|
||||
%endif
|
||||
%if %{with BDB}
|
||||
BuildRequires: libdb-devel
|
||||
%endif
|
||||
%if %{with UNITTEST}
|
||||
@ -226,6 +229,9 @@ BuildRequires: libmaxminddb-devel
|
||||
%endif
|
||||
# Needed to regenerate dig.1 manpage
|
||||
BuildRequires: docbook-style-xsl, libxslt
|
||||
%if %{with TSAN}
|
||||
BuildRequires: libtsan
|
||||
%endif
|
||||
|
||||
%description
|
||||
BIND (Berkeley Internet Name Domain) is an implementation of the DNS
|
||||
@ -239,6 +245,8 @@ tools for verifying that the DNS server is operating properly.
|
||||
Summary: Bind with native PKCS#11 functionality for crypto
|
||||
Requires: systemd
|
||||
Requires: bind%{?_isa} = %{epoch}:%{version}-%{release}
|
||||
Requires: bind-libs%{?_isa} = %{epoch}:%{version}-%{release}
|
||||
Requires: bind-libs-lite%{?_isa} = %{epoch}:%{version}-%{release}
|
||||
Requires: bind-pkcs11-libs%{?_isa} = %{epoch}:%{version}-%{release}
|
||||
Recommends: softhsm
|
||||
|
||||
@ -282,6 +290,7 @@ Summary: BIND server with database backends and DLZ support
|
||||
Requires: systemd
|
||||
Requires: bind%{?_isa} = %{epoch}:%{version}-%{release}
|
||||
Requires: bind-libs%{?_isa} = %{epoch}:%{version}-%{release}
|
||||
Requires: bind-libs-lite%{?_isa} = %{epoch}:%{version}-%{release}
|
||||
|
||||
%description sdb
|
||||
BIND (Berkeley Internet Name Domain) is an implementation of the DNS
|
||||
@ -323,6 +332,7 @@ Contains license of the BIND DNS suite.
|
||||
%package utils
|
||||
Summary: Utilities for querying DNS name servers
|
||||
Requires: bind-libs%{?_isa} = %{epoch}:%{version}-%{release}
|
||||
Requires: bind-libs-lite%{?_isa} = %{epoch}:%{version}-%{release}
|
||||
Requires: python3-bind = %{epoch}:%{version}-%{release}
|
||||
|
||||
%description utils
|
||||
@ -352,12 +362,6 @@ required for development with ISC BIND 9
|
||||
Summary: Lite version of header files and libraries needed for BIND DNS development
|
||||
Requires: bind-libs-lite%{?_isa} = %{epoch}:%{version}-%{release}
|
||||
Requires: openssl-devel%{?_isa} libxml2-devel%{?_isa}
|
||||
%if %{with GEOIP}
|
||||
Requires: GeoIP-devel%{?_isa}
|
||||
%endif
|
||||
%if %{with GEOIP2}
|
||||
Requires: libmaxminddb-devel%{?_isa}
|
||||
%endif
|
||||
|
||||
%description lite-devel
|
||||
The bind-lite-devel package contains lite version of the header
|
||||
@ -391,6 +395,7 @@ Based on the code from Jan "Yenya" Kasprzak <kas@fi.muni.cz>
|
||||
|
||||
|
||||
%if %{with DLZ}
|
||||
%if %{with BDB}
|
||||
%package dlz-bdb
|
||||
Summary: BIND server bdb DLZ module
|
||||
Requires: bind%{?_isa} = %{epoch}:%{version}-%{release}
|
||||
@ -398,6 +403,10 @@ Requires: bind%{?_isa} = %{epoch}:%{version}-%{release}
|
||||
%description dlz-bdb
|
||||
Dynamic Loadable Zones module for BIND server.
|
||||
|
||||
%end
|
||||
|
||||
%endif
|
||||
|
||||
%package dlz-filesystem
|
||||
Summary: BIND server filesystem DLZ module
|
||||
Requires: bind%{?_isa} = %{epoch}:%{version}-%{release}
|
||||
@ -438,7 +447,7 @@ Dynamic Loadable Zones module for BIND server.
|
||||
%package -n python3-bind
|
||||
Summary: A module allowing rndc commands to be sent from Python programs
|
||||
Requires: bind-license = %{epoch}:%{version}-%{release}
|
||||
Requires: %{?__python3} python3-ply %{py3_dist ply}
|
||||
Requires: %{?__python3} python3-ply %{?py3_dist:%py3_dist ply}
|
||||
BuildArch: noarch
|
||||
%{?python_provide:%python_provide python3-bind}
|
||||
%{?python_provide:%python_provide python3-isc}
|
||||
@ -512,13 +521,11 @@ are used for building ISC DHCP.
|
||||
%patch175 -p1 -b .json-c
|
||||
%patch177 -p1 -b .serve-stale
|
||||
%patch178 -p1 -b .time-monotonic
|
||||
%patch179 -p1 -b .rh1790879
|
||||
%patch180 -p1 -b .rwlock
|
||||
%patch181 -p1 -b .CVE-2020-8617
|
||||
%patch182 -p1 -b .CVE-2020-8616
|
||||
%patch183 -p1 -b .CVE-2020-8616-test
|
||||
%patch184 -p1 -b .CVE-2020-8616-test
|
||||
%patch185 -p1 -b .rh1865785
|
||||
%patch179 -p1 -b .rh1859454
|
||||
%patch180 -p1 -b .CVE-2020-8622
|
||||
%patch181 -p1 -b .CVE-2020-8623
|
||||
%patch182 -p1 -b .CVE-2020-8624
|
||||
%patch183 -p1 -b .CVE-2020-8624-test
|
||||
|
||||
mkdir lib/dns/tests/testdata/dstrandom
|
||||
cp -a %{SOURCE50} lib/dns/tests/testdata/dstrandom/random.data
|
||||
@ -590,10 +597,15 @@ done
|
||||
cp -Tuav bin/tests "%{1}/bin/tests/" \
|
||||
cp -uv version "%{1}" \
|
||||
|
||||
export CFLAGS="$CFLAGS $RPM_OPT_FLAGS"
|
||||
CFLAGS="$CFLAGS $RPM_OPT_FLAGS"
|
||||
%if %{with TSAN}
|
||||
CFLAGS+=" -O1 -fsanitize=thread -fPIE -pie"
|
||||
%endif
|
||||
export CFLAGS
|
||||
export CPPFLAGS="$CPPFLAGS -DDIG_SIGCHASE"
|
||||
export STD_CDEFINES="$CPPFLAGS"
|
||||
|
||||
|
||||
sed -i -e \
|
||||
's/RELEASEVER=\(.*\)/RELEASEVER=\1-RedHat-%{version}-%{release}/' \
|
||||
version
|
||||
@ -633,6 +645,8 @@ export LIBDIR_SUFFIX
|
||||
--with-dlz-postgres=yes \
|
||||
--with-dlz-mysql=yes \
|
||||
--with-dlz-filesystem=yes \
|
||||
%endif
|
||||
%if %{with BDB}
|
||||
--with-dlz-bdb=yes \
|
||||
%endif
|
||||
%if %{with GSSTSIG}
|
||||
@ -670,14 +684,19 @@ popd
|
||||
|
||||
%if %{with DLZ}
|
||||
pushd contrib/dlz
|
||||
pushd bin/dlzbdb
|
||||
make
|
||||
popd
|
||||
pushd modules
|
||||
for DIR in bdbhpt filesystem ldap mysql mysqldyn sqlite3; do
|
||||
for DIR in filesystem ldap mysql mysqldyn sqlite3; do
|
||||
make -C $DIR CFLAGS="-fPIC -I../include $CFLAGS $LDFLAGS"
|
||||
done
|
||||
popd
|
||||
%if %{with BDB}
|
||||
pushd bin/dlzbdb
|
||||
make
|
||||
popd
|
||||
pushd modules
|
||||
make -C bdbhpt CFLAGS="-fPIC -I../include $CFLAGS $LDFLAGS"
|
||||
popd
|
||||
%endif
|
||||
popd
|
||||
%endif
|
||||
popd # build
|
||||
@ -686,6 +705,8 @@ popd # build
|
||||
%systemtest_prepare_build build
|
||||
|
||||
%if %{with EXPORT_LIBS}
|
||||
cp isc-config.sh.1 isc-export-config.sh.1
|
||||
|
||||
## Create export libs ##
|
||||
mkdir -p export-libs
|
||||
pushd export-libs
|
||||
@ -722,8 +743,12 @@ export LIBDIR_SUFFIX
|
||||
## FIXME this should be in patch instead of SED'ing
|
||||
## but do we really like/want to patch generated files?
|
||||
|
||||
sed -i -e \
|
||||
'/^SUBDIRS =/s/.*/SUBDIRS = make lib/i' \
|
||||
mv isc-config.sh isc-export-config.sh
|
||||
|
||||
sed -i \
|
||||
-e '/^SUBDIRS =/s/.*/SUBDIRS = make lib/i' \
|
||||
-e 's/isc-config.sh/isc-export-config.sh/g' \
|
||||
-e 's/bind9-config/bind9-export-config/g' \
|
||||
Makefile
|
||||
|
||||
sed -i -e \
|
||||
@ -735,9 +760,9 @@ do
|
||||
find . -name Makefile -exec sed "s/lib${lib}\./lib${lib}-export\./g" -i {} \;
|
||||
sed -e "s/-l${lib}\([^[:alpha:]]\)/-l${lib}-export\1/g" \
|
||||
-e "s/lib${lib}\./lib${lib}-export\./g" \
|
||||
-i isc-config.sh
|
||||
-i isc-export-config.sh
|
||||
done;
|
||||
%{__patch} -p2 -b --suffix .export-isc-config < %{PATCH135}
|
||||
|
||||
make %{?_smp_mflags}
|
||||
popd
|
||||
|
||||
@ -763,6 +788,10 @@ sed -e "/^\s*include(/ d" -e 's/^-- use //' \
|
||||
sh %{SOURCE48} "${SOFTHSM2_CONF}" "`pwd`/softhsm-tokens"
|
||||
%endif
|
||||
|
||||
%if %{with TSAN}
|
||||
export TSAN_OPTIONS="log_exe_name=true log_path=ThreadSanitizer exitcode=0"
|
||||
%endif
|
||||
|
||||
%if %{with UNITTEST}
|
||||
pushd build
|
||||
make unit
|
||||
@ -910,15 +939,20 @@ install -m 644 %{SOURCE12} contrib/sdb/pgsql/
|
||||
|
||||
%if %{with DLZ}
|
||||
pushd contrib/dlz
|
||||
pushd bin/dlzbdb
|
||||
make DESTDIR=${RPM_BUILD_ROOT} install
|
||||
popd
|
||||
pushd modules
|
||||
for DIR in bdbhpt filesystem ldap mysql mysqldyn sqlite3; do
|
||||
for DIR in filesystem ldap mysql mysqldyn sqlite3; do
|
||||
make -C $DIR DESTDIR=${RPM_BUILD_ROOT} libdir=%{_libdir}/bind install
|
||||
done
|
||||
mv mysqldyn/testing/README mysqldyn/testing/README.testing
|
||||
%if %{with BDB}
|
||||
make -C bdbhpt DESTDIR=${RPM_BUILD_ROOT} libdir=%{_libdir}/bind install
|
||||
%endif
|
||||
popd
|
||||
%if %{with BDB}
|
||||
pushd bin/dlzbdb
|
||||
make DESTDIR=${RPM_BUILD_ROOT} install
|
||||
popd
|
||||
%endif
|
||||
popd
|
||||
%endif
|
||||
|
||||
@ -956,6 +990,7 @@ pushd ${RPM_BUILD_ROOT}%{_mandir}/man8
|
||||
ln -s named.8.gz named-pkcs11.8.gz
|
||||
ln -s dnssec-checkds.8.gz dnssec-checkds-pkcs11.8.gz
|
||||
ln -s dnssec-dsfromkey.8.gz dnssec-dsfromkey-pkcs11.8.gz
|
||||
ln -s dnssec-importkey.8.gz dnssec-importkey-pkcs11.8.gz
|
||||
ln -s dnssec-keyfromlabel.8.gz dnssec-keyfromlabel-pkcs11.8.gz
|
||||
ln -s dnssec-keygen.8.gz dnssec-keygen-pkcs11.8.gz
|
||||
ln -s dnssec-revoke.8.gz dnssec-revoke-pkcs11.8.gz
|
||||
@ -1462,12 +1497,15 @@ rm -rf ${RPM_BUILD_ROOT}
|
||||
%{_bindir}/bind9-export-config
|
||||
%endif
|
||||
|
||||
%if %{with DLZ}
|
||||
%if %{with DLZ} && %{with BDB}
|
||||
%files dlz-bdb
|
||||
%{_sbindir}/dlzbdb
|
||||
%{_libdir}/bind/dlz_bdbhpt_dynamic.so
|
||||
%doc contrib/dlz/modules/bdbhpt/testing/*
|
||||
|
||||
%endif
|
||||
|
||||
%if %{with DLZ}
|
||||
%files dlz-filesystem
|
||||
%{_libdir}/bind/dlz_filesystem_dynamic.so
|
||||
|
||||
@ -1496,17 +1534,40 @@ rm -rf ${RPM_BUILD_ROOT}
|
||||
|
||||
|
||||
%changelog
|
||||
* Tue Aug 04 2020 Tomas Korbar <tkorbar@redhat.com> - 32:9.11.13-6.1
|
||||
- Validate configuration files with CIDRs host bits set (#1865785)
|
||||
* Tue Aug 18 2020 Petr Menšík <pemensik@redhat.com> - 32:9.11.20-5
|
||||
- Fix tsig-request verify (CVE-2020-8622)
|
||||
- Prevent PKCS11 daemon crash on crafted packet (CVE-2020-8623)
|
||||
- Correct update-policy type subdomain to match documentation (CVE-2020-8624)
|
||||
- Include available test
|
||||
|
||||
* Fri May 22 2020 Petr Menšík <pemensik@redhat.com> - 32:9.11.13-5.1
|
||||
- Add CVE tests to codebase
|
||||
* Wed Jul 22 2020 Petr Menšík <pemensik@redhat.com> - 32:9.11.20-4
|
||||
- Prevent crash on dstlib initialization failure (#1859454)
|
||||
|
||||
* Fri May 15 2020 Petr Menšík <pemensik@redhat.com> - 32:9.11.13-5
|
||||
- Limit number of queries triggered by a request (CVE-2020-8616)
|
||||
* Fri Jun 19 2020 Petr Menšík <pemensik@redhat.com> - 32:9.11.20-3
|
||||
- Add remaining require to bind package (#1633169)
|
||||
|
||||
* Fri May 15 2020 Petr Menšík <pemensik@redhat.com> - 32:9.11.13-4
|
||||
- Fix invalid tsig request (CVE-2020-8617)
|
||||
* Fri Jun 19 2020 Petr Menšík <pemensik@redhat.com> - 32:9.11.20-2
|
||||
- Add manual page for dnssec-importkey-pkcs11 (#1666785)
|
||||
- Add versioned depends to all library subpackages
|
||||
|
||||
* Wed Jun 17 2020 Petr Menšík <pemensik@redhat.com> - 32:9.11.20-1
|
||||
- Update to 9.11.20
|
||||
|
||||
* Mon Jun 08 2020 Petr Menšík <pemensik@redhat.com> - 32:9.11.19-2
|
||||
- Remove old KSK 19036 from remaining trusted-key.key
|
||||
|
||||
* Fri May 15 2020 Petr Menšík <pemensik@redhat.com> - 32:9.11.19-1
|
||||
- Update to 9.11.19 (CVE-2020-8616, CVE-2020-8617)
|
||||
|
||||
* Thu Apr 16 2020 Petr Menšík <pemensik@redhat.com> - 32:9.11.18-1
|
||||
- Update to 9.11.18
|
||||
|
||||
* Tue Apr 07 2020 Petr Menšík <pemensik@redhat.com> - 32:9.11.17-1
|
||||
- Update to 9.11.17
|
||||
|
||||
* Tue Apr 07 2020 Petr Menšík <pemensik@redhat.com> - 32:9.11.14-1
|
||||
- Update to 9.11.14
|
||||
- Remove libmaxminddb-devel from devel package dependencies
|
||||
|
||||
* Thu Feb 27 2020 Miroslav Lichvar <mlichvar@redhat.com> - 32:9.11.13-3
|
||||
- Fix rwlock to be thread-safe (#1740511)
|
||||
|
Loading…
Reference in New Issue
Block a user