rpms
/
bind
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import bind-9.11.13-6.el8_2.1

Browse Source
c8 imports/c8/bind-9.11.13-6.el8_2.1
CentOS Sources 3 years ago committed by Andrew Lukoshko
commit c155b2de68
82 changed files with 20745 additions and 0 deletions
Show Stats Download Patch File Download Diff File

2
.bind.metadata
Unescape Escape View File

@ -0,0 +1,2 @@
550367762a653ac5ed0eb04b316d06517650a925 SOURCES/bind-9.11.13.tar.gz
a164fcad1d64d6b5fab5034928cb7260f1fa8fdd SOURCES/random.data

2
.gitignore vendored
Unescape Escape View File

@ -0,0 +1,2 @@
SOURCES/bind-9.11.13.tar.gz
SOURCES/random.data

79
SOURCES/README.sdb_pgsql
Unescape Escape View File

@ -0,0 +1,79 @@
PGSQL BIND SDB driver
The postgresql BIND SDB driver is of experimental status and should not be
used for production systems.
Usage:
o Use the named_sdb process ( put ENABLE_SDB=yes in /etc/sysconfig/named )
o Edit your named.conf to contain a database zone, eg. :
zone "pgdb.net." IN {
type master;
database "pgsql bind pgdb localhost pguser pgpasswd";
# ^- DB name ^-Table ^-host ^-user ^-password
};
o Create the database zone table
The table must contain the columns "name", "rdtype", and "rdata", and
is expected to contain a properly constructed zone. The program "zonetodb"
creates such a table.
zonetodb usage:
zonetodb origin file dbname dbtable
where
origin : zone origin, eg "pgdb.net."
file : master zone database file, eg. pgdb.net.db
dbname : name of postgresql database
dbtable: name of table in database
Eg. to import this zone in the file 'pgdb.net.db' into the 'bind' database
'pgdb' table:
---
#pgdb.net.db:
$TTL 1H
@ SOA localhost. root.localhost. ( 1
3H
1H
1W
1H )
NS localhost.
host1 A 192.168.2.1
host2 A 192.168.2.2
host3 A 192.168.2.3
host4 A 192.168.2.4
host5 A 192.168.2.5
host6 A 192.168.2.6
host7 A 192.168.2.7
---
Issue this command as the pgsql user authorized to update the bind database:
# zonetodb pgdb.net. pgdb.net.db bind pgdb
will create / update the pgdb table in the 'bind' db:
$ psql -dbind -c 'select * from pgdb;'
name | ttl | rdtype | rdata
----------------+------+--------+-----------------------------------------------------
pgdb.net | 3600 | SOA | localhost. root.localhost. 1 10800 3600 604800 3600
pgdb.net | 3600 | NS | localhost.
host1.pgdb.net | 3600 | A | 192.168.2.1
host2.pgdb.net | 3600 | A | 192.168.2.2
host3.pgdb.net | 3600 | A | 192.168.2.3
host4.pgdb.net | 3600 | A | 192.168.2.4
host5.pgdb.net | 3600 | A | 192.168.2.5
host6.pgdb.net | 3600 | A | 192.168.2.6
host7.pgdb.net | 3600 | A | 192.168.2.7
(9 rows)
I've tested exactly the above configuration with bind-sdb-9.3.1+ and it works OK.
NOTE: If you use pgsqldb SDB, ensure the postgresql service is started before the named
service .
USE AT YOUR OWN RISK!

612
SOURCES/bind-9.10-dist-native-pkcs11.patch
Unescape Escape View File

@ -0,0 +1,612 @@
diff --git a/bin/Makefile.in b/bin/Makefile.in
index f0c504a..ce7a2da 100644
--- a/bin/Makefile.in
+++ b/bin/Makefile.in
@@ -11,8 +11,8 @@ srcdir = @srcdir@
VPATH = @srcdir@
top_srcdir = @top_srcdir@
-SUBDIRS = named rndc dig delv dnssec tools nsupdate check confgen \
- @NZD_TOOLS@ @PYTHON_TOOLS@ @PKCS11_TOOLS@ tests
+SUBDIRS = named named-pkcs11 rndc dig delv dnssec dnssec-pkcs11 tools nsupdate \
+ check confgen @NZD_TOOLS@ @PYTHON_TOOLS@ @PKCS11_TOOLS@ tests
TARGETS =
@BIND9_MAKE_RULES@
diff --git a/bin/dnssec-pkcs11/Makefile.in b/bin/dnssec-pkcs11/Makefile.in
index 4b8ca13..32f4470 100644
--- a/bin/dnssec-pkcs11/Makefile.in
+++ b/bin/dnssec-pkcs11/Makefile.in
@@ -15,18 +15,18 @@ VERSION=@BIND9_VERSION@
@BIND9_MAKE_INCLUDES@
-CINCLUDES = ${DNS_INCLUDES} ${ISC_INCLUDES} @DST_OPENSSL_INC@
+CINCLUDES = ${DNS_PKCS11_INCLUDES} ${ISC_PKCS11_INCLUDES}
-CDEFINES = -DVERSION=\"${VERSION}\" @USE_PKCS11@ @PKCS11_ENGINE@ \
- @CRYPTO@ -DPK11_LIB_LOCATION=\"@PKCS11_PROVIDER@\"
+CDEFINES = -DVERSION=\"${VERSION}\" @PKCS11_ENGINE@ \
+ @CRYPTO_PK11@ -DPK11_LIB_LOCATION=\"@PKCS11_PROVIDER@\"
CWARNINGS =
-DNSLIBS = ../../lib/dns/libdns.@A@ ${MAXMINDDB_LIBS} @DNS_CRYPTO_LIBS@
-ISCLIBS = ../../lib/isc/libisc.@A@
-ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@
+DNSLIBS = ../../lib/dns-pkcs11/libdns-pkcs11.@A@ ${MAXMINDDB_LIBS} @DNS_CRYPTO_LIBS@
+ISCLIBS = ../../lib/isc-pkcs11/libisc-pkcs11.@A@
+ISCNOSYMLIBS = ../../lib/isc-pkcs11/libisc-pkcs11-nosymtbl.@A@
-DNSDEPLIBS = ../../lib/dns/libdns.@A@
-ISCDEPLIBS = ../../lib/isc/libisc.@A@
+DNSDEPLIBS = ../../lib/dns-pkcs11/libdns-pkcs11.@A@
+ISCDEPLIBS = ../../lib/isc-pkcs11/libisc-pkcs11.@A@
DEPLIBS = ${DNSDEPLIBS} ${ISCDEPLIBS}
@@ -35,10 +35,10 @@ LIBS = ${DNSLIBS} ${ISCLIBS} @LIBS@
NOSYMLIBS = ${DNSLIBS} ${ISCNOSYMLIBS} @LIBS@
# Alphabetically
-TARGETS = dnssec-keygen@EXEEXT@ dnssec-signzone@EXEEXT@ \
- dnssec-keyfromlabel@EXEEXT@ dnssec-dsfromkey@EXEEXT@ \
- dnssec-revoke@EXEEXT@ dnssec-settime@EXEEXT@ \
- dnssec-verify@EXEEXT@ dnssec-importkey@EXEEXT@
+TARGETS = dnssec-keygen-pkcs11@EXEEXT@ dnssec-signzone-pkcs11@EXEEXT@ \
+ dnssec-keyfromlabel-pkcs11@EXEEXT@ dnssec-dsfromkey-pkcs11@EXEEXT@ \
+ dnssec-revoke-pkcs11@EXEEXT@ dnssec-settime-pkcs11@EXEEXT@ \
+ dnssec-verify-pkcs11@EXEEXT@ dnssec-importkey-pkcs11@EXEEXT@
OBJS = dnssectool.@O@
@@ -59,15 +59,15 @@ MANOBJS = ${MANPAGES} ${HTMLPAGES}
@BIND9_MAKE_RULES@
-dnssec-dsfromkey@EXEEXT@: dnssec-dsfromkey.@O@ ${OBJS} ${DEPLIBS}
+dnssec-dsfromkey-pkcs11@EXEEXT@: dnssec-dsfromkey.@O@ ${OBJS} ${DEPLIBS}
export BASEOBJS="dnssec-dsfromkey.@O@ ${OBJS}"; \
${FINALBUILDCMD}
-dnssec-keyfromlabel@EXEEXT@: dnssec-keyfromlabel.@O@ ${OBJS} ${DEPLIBS}
+dnssec-keyfromlabel-pkcs11@EXEEXT@: dnssec-keyfromlabel.@O@ ${OBJS} ${DEPLIBS}
export BASEOBJS="dnssec-keyfromlabel.@O@ ${OBJS}"; \
${FINALBUILDCMD}
-dnssec-keygen@EXEEXT@: dnssec-keygen.@O@ ${OBJS} ${DEPLIBS}
+dnssec-keygen-pkcs11@EXEEXT@: dnssec-keygen.@O@ ${OBJS} ${DEPLIBS}
export BASEOBJS="dnssec-keygen.@O@ ${OBJS}"; \
${FINALBUILDCMD}
@@ -75,7 +75,7 @@ dnssec-signzone.@O@: dnssec-signzone.c
${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -DVERSION=\"${VERSION}\" \
-c ${srcdir}/dnssec-signzone.c
-dnssec-signzone@EXEEXT@: dnssec-signzone.@O@ ${OBJS} ${DEPLIBS}
+dnssec-signzone-pkcs11@EXEEXT@: dnssec-signzone.@O@ ${OBJS} ${DEPLIBS}
export BASEOBJS="dnssec-signzone.@O@ ${OBJS}"; \
${FINALBUILDCMD}
@@ -83,19 +83,19 @@ dnssec-verify.@O@: dnssec-verify.c
${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -DVERSION=\"${VERSION}\" \
-c ${srcdir}/dnssec-verify.c
-dnssec-verify@EXEEXT@: dnssec-verify.@O@ ${OBJS} ${DEPLIBS}
+dnssec-verify-pkcs11@EXEEXT@: dnssec-verify.@O@ ${OBJS} ${DEPLIBS}
export BASEOBJS="dnssec-verify.@O@ ${OBJS}"; \
${FINALBUILDCMD}
-dnssec-revoke@EXEEXT@: dnssec-revoke.@O@ ${OBJS} ${DEPLIBS}
+dnssec-revoke-pkcs11@EXEEXT@: dnssec-revoke.@O@ ${OBJS} ${DEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
dnssec-revoke.@O@ ${OBJS} ${LIBS}
-dnssec-settime@EXEEXT@: dnssec-settime.@O@ ${OBJS} ${DEPLIBS}
+dnssec-settime-pkcs11@EXEEXT@: dnssec-settime.@O@ ${OBJS} ${DEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
dnssec-settime.@O@ ${OBJS} ${LIBS}
-dnssec-importkey@EXEEXT@: dnssec-importkey.@O@ ${OBJS} ${DEPLIBS}
+dnssec-importkey-pkcs11@EXEEXT@: dnssec-importkey.@O@ ${OBJS} ${DEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
dnssec-importkey.@O@ ${OBJS} ${LIBS}
@@ -106,16 +106,14 @@ docclean manclean maintainer-clean::
installdirs:
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir}
- $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8
install-man8: ${MANPAGES}
${INSTALL_DATA} $^ ${DESTDIR}${mandir}/man8
-install:: ${TARGETS} installdirs install-man8
+install:: ${TARGETS} installdirs
for t in ${TARGETS}; do ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} $$t ${DESTDIR}${sbindir} || exit 1; done
uninstall::
- for m in ${MANPAGES}; do rm -f ${DESTDIR}${mandir}/man8/$$m || exit 1; done
for t in ${TARGETS}; do ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/$$t || exit 1; done
clean distclean::
diff --git a/bin/dnssec/Makefile.in b/bin/dnssec/Makefile.in
index 4b8ca13..4175996 100644
--- a/bin/dnssec/Makefile.in
+++ b/bin/dnssec/Makefile.in
@@ -17,7 +17,7 @@ VERSION=@BIND9_VERSION@
CINCLUDES = ${DNS_INCLUDES} ${ISC_INCLUDES} @DST_OPENSSL_INC@
-CDEFINES = -DVERSION=\"${VERSION}\" @USE_PKCS11@ @PKCS11_ENGINE@ \
+CDEFINES = -DVERSION=\"${VERSION}\" \
@CRYPTO@ -DPK11_LIB_LOCATION=\"@PKCS11_PROVIDER@\"
CWARNINGS =
diff --git a/bin/named-pkcs11/Makefile.in b/bin/named-pkcs11/Makefile.in
index 3166368..a403941 100644
--- a/bin/named-pkcs11/Makefile.in
+++ b/bin/named-pkcs11/Makefile.in
@@ -43,27 +43,27 @@ DLZDRIVER_INCLUDES = @DLZ_DRIVER_INCLUDES@
DLZDRIVER_LIBS = @DLZ_DRIVER_LIBS@
CINCLUDES = -I${srcdir}/include -I${srcdir}/unix/include -I. \
- ${LWRES_INCLUDES} ${DNS_INCLUDES} ${BIND9_INCLUDES} \
- ${ISCCFG_INCLUDES} ${ISCCC_INCLUDES} ${ISC_INCLUDES} \
+ ${LWRES_INCLUDES} ${DNS_PKCS11_INCLUDES} ${BIND9_INCLUDES} \
+ ${ISCCFG_INCLUDES} ${ISCCC_INCLUDES} ${ISC_PKCS11_INCLUDES} \
${DLZDRIVER_INCLUDES} ${DBDRIVER_INCLUDES} ${MAXMINDDB_CFLAGS} \
@DST_OPENSSL_INC@
-CDEFINES = @CONTRIB_DLZ@ @USE_PKCS11@ @PKCS11_ENGINE@ @CRYPTO@
+CDEFINES = @USE_PKCS11@ @PKCS11_ENGINE@ @CRYPTO_PK11@ @USE_GSSAPI@
CWARNINGS =
-DNSLIBS = ../../lib/dns/libdns.@A@ ${MAXMINDDB_LIBS} @DNS_CRYPTO_LIBS@
+DNSLIBS = ../../lib/dns-pkcs11/libdns-pkcs11.@A@ ${MAXMINDDB_LIBS} @DNS_CRYPTO_LIBS@
ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@
ISCCCLIBS = ../../lib/isccc/libisccc.@A@
-ISCLIBS = ../../lib/isc/libisc.@A@
-ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@
+ISCLIBS = ../../lib/isc-pkcs11/libisc-pkcs11.@A@
+ISCNOSYMLIBS = ../../lib/isc-pkcs11/libisc-pkcs11-nosymtbl.@A@
LWRESLIBS = ../../lib/lwres/liblwres.@A@
BIND9LIBS = ../../lib/bind9/libbind9.@A@
-DNSDEPLIBS = ../../lib/dns/libdns.@A@
+DNSDEPLIBS = ../../lib/dns-pkcs11/libdns-pkcs11.@A@
ISCCFGDEPLIBS = ../../lib/isccfg/libisccfg.@A@
ISCCCDEPLIBS = ../../lib/isccc/libisccc.@A@
-ISCDEPLIBS = ../../lib/isc/libisc.@A@
+ISCDEPLIBS = ../../lib/isc-pkcs11/libisc-pkcs11.@A@
LWRESDEPLIBS = ../../lib/lwres/liblwres.@A@
BIND9DEPLIBS = ../../lib/bind9/libbind9.@A@
@@ -72,15 +72,15 @@ DEPLIBS = ${LWRESDEPLIBS} ${DNSDEPLIBS} ${BIND9DEPLIBS} \
LIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \
${ISCCFGLIBS} ${ISCCCLIBS} ${ISCLIBS} \
- ${DLZDRIVER_LIBS} ${DBDRIVER_LIBS} @LIBS@
+ @LIBS@
NOSYMLIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \
${ISCCFGLIBS} ${ISCCCLIBS} ${ISCNOSYMLIBS} \
- ${DLZDRIVER_LIBS} ${DBDRIVER_LIBS} @LIBS@
+ @LIBS@
SUBDIRS = unix
-TARGETS = named@EXEEXT@ lwresd@EXEEXT@
+TARGETS = named-pkcs11@EXEEXT@
GEOIPLINKOBJS = geoip.@O@
GEOIP2LINKOBJS = geoip.@O@
@@ -94,8 +94,7 @@ OBJS = builtin.@O@ client.@O@ config.@O@ control.@O@ \
tkeyconf.@O@ tsigconf.@O@ update.@O@ xfrout.@O@ \
zoneconf.@O@ \
lwaddr.@O@ lwresd.@O@ lwdclient.@O@ lwderror.@O@ lwdgabn.@O@ \
- lwdgnba.@O@ lwdgrbn.@O@ lwdnoop.@O@ lwsearch.@O@ \
- ${DLZDRIVER_OBJS} ${DBDRIVER_OBJS}
+ lwdgnba.@O@ lwdgrbn.@O@ lwdnoop.@O@ lwsearch.@O@
UOBJS = unix/os.@O@ unix/dlz_dlopen_driver.@O@
@@ -113,8 +112,7 @@ SRCS = builtin.c client.c config.c control.c \
tkeyconf.c tsigconf.c update.c xfrout.c \
zoneconf.c \
lwaddr.c lwresd.c lwdclient.c lwderror.c lwdgabn.c \
- lwdgnba.c lwdgrbn.c lwdnoop.c lwsearch.c \
- ${DLZDRIVER_SRCS} ${DBDRIVER_SRCS}
+ lwdgnba.c lwdgrbn.c lwdnoop.c lwsearch.c
MANPAGES = named.8 lwresd.8 named.conf.5
@@ -154,14 +152,14 @@ server.@O@: server.c
-DPRODUCT=\"${PRODUCT}\" \
-DVERSION=\"${VERSION}\" -c ${srcdir}/server.c
-named@EXEEXT@: ${OBJS} ${DEPLIBS}
+named-pkcs11@EXEEXT@: ${OBJS} ${DEPLIBS}
export MAKE_SYMTABLE="yes"; \
export BASEOBJS="${OBJS} ${UOBJS}"; \
${FINALBUILDCMD}
-lwresd@EXEEXT@: named@EXEEXT@
+lwresd@EXEEXT@: named-pkcs11@EXEEXT@
rm -f lwresd@EXEEXT@
- @LN@ named@EXEEXT@ lwresd@EXEEXT@
+ @LN@ named-pkcs11@EXEEXT@ lwresd@EXEEXT@
doc man:: ${MANOBJS}
@@ -192,16 +190,11 @@ install-man8: named.8 lwresd.8
install-man: install-man5 install-man8
-install:: named@EXEEXT@ lwresd@EXEEXT@ installdirs install-man
- ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named@EXEEXT@ ${DESTDIR}${sbindir}
- (cd ${DESTDIR}${sbindir}; rm -f lwresd@EXEEXT@; @LN@ named@EXEEXT@ lwresd@EXEEXT@)
+install:: named-pkcs11@EXEEXT@ installdirs
+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named-pkcs11@EXEEXT@ ${DESTDIR}${sbindir}
uninstall::
- rm -f ${DESTDIR}${mandir}/man5/named.conf.5
- rm -f ${DESTDIR}${mandir}/man8/lwresd.8
- rm -f ${DESTDIR}${mandir}/man8/named.8
- rm -f ${DESTDIR}${sbindir}/lwresd@EXEEXT@
- ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/named@EXEEXT@
+ ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/named-pkcs11@EXEEXT@
@DLZ_DRIVER_RULES@
diff --git a/bin/named/Makefile.in b/bin/named/Makefile.in
index 3166368..890574f 100644
--- a/bin/named/Makefile.in
+++ b/bin/named/Makefile.in
@@ -48,7 +48,7 @@ CINCLUDES = -I${srcdir}/include -I${srcdir}/unix/include -I. \
${DLZDRIVER_INCLUDES} ${DBDRIVER_INCLUDES} ${MAXMINDDB_CFLAGS} \
@DST_OPENSSL_INC@
-CDEFINES = @CONTRIB_DLZ@ @USE_PKCS11@ @PKCS11_ENGINE@ @CRYPTO@
+CDEFINES = @CONTRIB_DLZ@ @USE_GSSAPI@ @CRYPTO@
CWARNINGS =
diff --git a/bin/pkcs11/Makefile.in b/bin/pkcs11/Makefile.in
index a058c91..d4b689a 100644
--- a/bin/pkcs11/Makefile.in
+++ b/bin/pkcs11/Makefile.in
@@ -15,13 +15,13 @@ top_srcdir = @top_srcdir@
@BIND9_MAKE_INCLUDES@
-CINCLUDES = ${ISC_INCLUDES}
+CINCLUDES = ${ISC_PKCS11_INCLUDES}
CDEFINES =
-ISCLIBS = ../../lib/isc/libisc.@A@ @ISC_OPENSSL_LIBS@
+ISCLIBS = ../../lib/isc-pkcs11/libisc-pkcs11.@A@ @ISC_OPENSSL_LIBS@
-ISCDEPLIBS = ../../lib/isc/libisc.@A@
+ISCDEPLIBS = ../../lib/isc-pkcs11/libisc-pkcs11.@A@
DEPLIBS = ${ISCDEPLIBS}
diff --git a/configure.ac b/configure.ac
index 9b7d778..59ba20b 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1139,12 +1139,14 @@ AC_SUBST(USE_GSSAPI)
AC_SUBST(DST_GSSAPI_INC)
AC_SUBST(DNS_GSSAPI_LIBS)
DNS_CRYPTO_LIBS="$DNS_GSSAPI_LIBS $DNS_CRYPTO_LIBS"
+DNS_CRYPTO_PK11_LIBS="$DNS_GSSAPI_LIBS $DNS_CRYPTO_PK11_LIBS"
#
# Applications linking with libdns also need to link with these libraries.
#
AC_SUBST(DNS_CRYPTO_LIBS)
+AC_SUBST(DNS_CRYPTO_PK11_LIBS)
#
# was --with-randomdev specified?
@@ -1494,11 +1496,11 @@ AC_ARG_ENABLE(openssl-hash,
AC_MSG_CHECKING(for OpenSSL library)
OPENSSL_WARNING=
openssldirs="/usr /usr/local /usr/local/ssl /opt/local /usr/pkg /usr/sfw"
-if test "yes" = "$want_native_pkcs11"
-then
- use_openssl="native_pkcs11"
- AC_MSG_RESULT(use of native PKCS11 instead)
-fi
+# if test "yes" = "$want_native_pkcs11"
+# then
+# use_openssl="native_pkcs11"
+# AC_MSG_RESULT(use of native PKCS11 instead)
+# fi
if test "auto" = "$use_openssl"
then
@@ -1511,6 +1513,7 @@ then
fi
done
fi
+CRYPTO_PK11=""
OPENSSL_ECDSA=""
OPENSSL_GOST=""
OPENSSL_ED25519=""
@@ -1532,11 +1535,10 @@ case "$with_gost" in
;;
esac
-case "$use_openssl" in
- native_pkcs11)
- AC_MSG_RESULT(disabled because of native PKCS11)
+if test "$want_native_pkcs11" = "yes"
+then
DST_OPENSSL_INC=""
- CRYPTO="-DPKCS11CRYPTO"
+ CRYPTO_PK11="-DPKCS11CRYPTO"
CRYPTOLIB="pkcs11"
OPENSSLECDSALINKOBJS=""
OPENSSLECDSALINKSRCS=""
@@ -1546,7 +1548,9 @@ case "$use_openssl" in
OPENSSLGOSTLINKSRCS=""
OPENSSLLINKOBJS=""
OPENSSLLINKSRCS=""
- ;;
+fi
+
+case "$use_openssl" in
no)
AC_MSG_RESULT(no)
DST_OPENSSL_INC=""
@@ -1578,7 +1582,7 @@ case "$use_openssl" in
If you do not want OpenSSL, use --without-openssl])
;;
*)
- if test "yes" = "$want_native_pkcs11"
+ if false # test "yes" = "$want_native_pkcs11"
then
AC_MSG_RESULT()
AC_MSG_ERROR([OpenSSL and native PKCS11 cannot be used together.])
@@ -2006,6 +2010,7 @@ AC_SUBST(OPENSSL_ED25519)
AC_SUBST(OPENSSL_GOST)
DNS_CRYPTO_LIBS="$DNS_CRYPTO_LIBS $DST_OPENSSL_LIBS"
+DNS_CRYPTO_PK11_LIBS="$DNS_CRYPTO_LIBS"
ISC_PLATFORM_WANTAES="#undef ISC_PLATFORM_WANTAES"
if test "yes" = "$with_aes"
@@ -2291,6 +2296,7 @@ esac
AC_SUBST(PKCS11LINKOBJS)
AC_SUBST(PKCS11LINKSRCS)
AC_SUBST(CRYPTO)
+AC_SUBST(CRYPTO_PK11)
AC_SUBST(PKCS11_ECDSA)
AC_SUBST(PKCS11_GOST)
AC_SUBST(PKCS11_ED25519)
@@ -5405,8 +5411,11 @@ AC_CONFIG_FILES([
bin/delv/Makefile
bin/dig/Makefile
bin/dnssec/Makefile
+ bin/dnssec-pkcs11/Makefile
bin/named/Makefile
bin/named/unix/Makefile
+ bin/named-pkcs11/Makefile
+ bin/named-pkcs11/unix/Makefile
bin/nsupdate/Makefile
bin/pkcs11/Makefile
bin/python/Makefile
@@ -5479,6 +5488,10 @@ AC_CONFIG_FILES([
lib/dns/include/dns/Makefile
lib/dns/include/dst/Makefile
lib/dns/tests/Makefile
+ lib/dns-pkcs11/Makefile
+ lib/dns-pkcs11/include/Makefile
+ lib/dns-pkcs11/include/dns/Makefile
+ lib/dns-pkcs11/include/dst/Makefile
lib/irs/Makefile
lib/irs/include/Makefile
lib/irs/include/irs/Makefile
@@ -5503,6 +5516,24 @@ AC_CONFIG_FILES([
lib/isc/unix/include/Makefile
lib/isc/unix/include/isc/Makefile
lib/isc/unix/include/pkcs11/Makefile
+ lib/isc-pkcs11/$arch/Makefile
+ lib/isc-pkcs11/$arch/include/Makefile
+ lib/isc-pkcs11/$arch/include/isc/Makefile
+ lib/isc-pkcs11/$thread_dir/Makefile
+ lib/isc-pkcs11/$thread_dir/include/Makefile
+ lib/isc-pkcs11/$thread_dir/include/isc/Makefile
+ lib/isc-pkcs11/Makefile
+ lib/isc-pkcs11/include/Makefile
+ lib/isc-pkcs11/include/isc/Makefile
+ lib/isc-pkcs11/include/isc/platform.h
+ lib/isc-pkcs11/include/pk11/Makefile
+ lib/isc-pkcs11/include/pkcs11/Makefile
+ lib/isc-pkcs11/tests/Makefile
+ lib/isc-pkcs11/nls/Makefile
+ lib/isc-pkcs11/unix/Makefile
+ lib/isc-pkcs11/unix/include/Makefile
+ lib/isc-pkcs11/unix/include/isc/Makefile
+ lib/isc-pkcs11/unix/include/pkcs11/Makefile
lib/isccc/Makefile
lib/isccc/include/Makefile
lib/isccc/include/isccc/Makefile
diff --git a/lib/Makefile.in b/lib/Makefile.in
index 81270a0..bcb5312 100644
--- a/lib/Makefile.in
+++ b/lib/Makefile.in
@@ -15,7 +15,7 @@ top_srcdir = @top_srcdir@
# Attempt to disable parallel processing.
.NOTPARALLEL:
.NO_PARALLEL:
-SUBDIRS = isc isccc dns isccfg bind9 lwres irs samples
+SUBDIRS = isc isc-pkcs11 isccc dns dns-pkcs11 isccfg bind9 lwres irs samples
TARGETS =
@BIND9_MAKE_RULES@
diff --git a/lib/dns-pkcs11/Makefile.in b/lib/dns-pkcs11/Makefile.in
index 7f09bd6..c388d9e 100644
--- a/lib/dns-pkcs11/Makefile.in
+++ b/lib/dns-pkcs11/Makefile.in
@@ -26,17 +26,16 @@ VERSION=@BIND9_VERSION@
USE_ISC_SPNEGO = @USE_ISC_SPNEGO@
-CINCLUDES = -I. -I${top_srcdir}/lib/dns -Iinclude ${DNS_INCLUDES} \
- ${ISC_INCLUDES} ${MAXMINDDB_CFLAGS} \
- @DST_OPENSSL_INC@ @DST_GSSAPI_INC@
+CINCLUDES = -I. -I${top_srcdir}/lib/dns-pkcs11 -Iinclude ${DNS_PKCS11_INCLUDES} \
+ ${ISC_PKCS11_INCLUDES} ${MAXMINDDB_CFLAGS} @DST_OPENSSL_INC@ @DST_GSSAPI_INC@
-CDEFINES = -DUSE_MD5 @CRYPTO@ @USE_GSSAPI@ ${USE_ISC_SPNEGO}
+CDEFINES = -DUSE_MD5 @CRYPTO_PK11@ @USE_GSSAPI@ ${USE_ISC_SPNEGO}
CWARNINGS =
-ISCLIBS = ../../lib/isc/libisc.@A@
+ISCLIBS = ../../lib/isc-pkcs11/libisc-pkcs11.@A@
-ISCDEPLIBS = ../../lib/isc/libisc.@A@
+ISCDEPLIBS = ../../lib/isc-pkcs11/libisc-pkcs11.@A@
LIBS = ${MAXMINDDB_LIBS} @LIBS@
@@ -150,15 +149,15 @@ version.@O@: version.c
-DLIBAGE=${LIBAGE} \
-c ${srcdir}/version.c
-libdns.@SA@: ${OBJS}
+libdns-pkcs11.@SA@: ${OBJS}
${AR} ${ARFLAGS} $@ ${OBJS}
${RANLIB} $@
-libdns.la: ${OBJS}
+libdns-pkcs11.la: ${OBJS}
${LIBTOOL_MODE_LINK} \
- ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libdns.la -rpath ${libdir} \
+ ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libdns-pkcs11.la -rpath ${libdir} \
-version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \
- ${OBJS} ${ISCLIBS} @DNS_CRYPTO_LIBS@ ${LIBS}
+ ${OBJS} ${ISCLIBS} @DNS_CRYPTO_PK11_LIBS@ ${LIBS}
include: gen
${MAKE} include/dns/enumtype.h
@@ -189,22 +188,22 @@ gen: gen.c
${BUILD_CPPFLAGS} ${BUILD_LDFLAGS} -o $@ ${srcdir}/gen.c \
${BUILD_LIBS} ${LFS_LIBS}
-timestamp: include libdns.@A@
+timestamp: include libdns-pkcs11.@A@
touch timestamp
-testdirs: libdns.@A@
+testdirs: libdns-pkcs11.@A@
installdirs:
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${libdir}
install:: timestamp installdirs
- ${LIBTOOL_MODE_INSTALL} ${INSTALL_LIBRARY} libdns.@A@ ${DESTDIR}${libdir}
+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_LIBRARY} libdns-pkcs11.@A@ ${DESTDIR}${libdir}
uninstall::
- ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${libdir}/libdns.@A@
+ ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${libdir}/libdns-pkcs11.@A@
clean distclean::
- rm -f libdns.@A@ timestamp
+ rm -f libdns-pkcs11.@A@ timestamp
rm -f gen code.h include/dns/enumtype.h include/dns/enumclass.h
rm -f include/dns/rdatastruct.h
rm -f dnstap.pb-c.c dnstap.pb-c.h
diff --git a/lib/isc-pkcs11/Makefile.in b/lib/isc-pkcs11/Makefile.in
index 8ad54bb..a3ecdfb 100644
--- a/lib/isc-pkcs11/Makefile.in
+++ b/lib/isc-pkcs11/Makefile.in
@@ -23,8 +23,8 @@ CINCLUDES = -I${srcdir}/unix/include \
-I${srcdir}/@ISC_THREAD_DIR@/include \
-I${srcdir}/@ISC_ARCH_DIR@/include \
-I./include \
- -I${srcdir}/include ${DNS_INCLUDES} @ISC_OPENSSL_INC@
-CDEFINES = @CRYPTO@ -DPK11_LIB_LOCATION=\"${PROVIDER}\"
+ -I${srcdir}/include ${DNS_PKCS11_INCLUDES}
+CDEFINES = @CRYPTO_PK11@ -DPK11_LIB_LOCATION=\"${PROVIDER}\"
CWARNINGS =
# Alphabetically
@@ -103,40 +103,40 @@ version.@O@: version.c
-DLIBAGE=${LIBAGE} \
-c ${srcdir}/version.c
-libisc.@SA@: ${OBJS} ${SYMTBLOBJS}
+libisc-pkcs11.@SA@: ${OBJS} ${SYMTBLOBJS}
${AR} ${ARFLAGS} $@ ${OBJS} ${SYMTBLOBJS}
${RANLIB} $@
-libisc-nosymtbl.@SA@: ${OBJS}
+libisc-pkcs11-nosymtbl.@SA@: ${OBJS}
${AR} ${ARFLAGS} $@ ${OBJS}
${RANLIB} $@
-libisc.la: ${OBJS} ${SYMTBLOBJS}
+libisc-pkcs11.la: ${OBJS} ${SYMTBLOBJS}
${LIBTOOL_MODE_LINK} \
- ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libisc.la -rpath ${libdir} \
+ ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libisc-pkcs11.la -rpath ${libdir} \
-version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \
${OBJS} ${SYMTBLOBJS} ${LIBS}
-libisc-nosymtbl.la: ${OBJS}
+libisc-pkcs11-nosymtbl.la: ${OBJS}
${LIBTOOL_MODE_LINK} \
- ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libisc-nosymtbl.la -rpath ${libdir} \
+ ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libisc-pkcs11-nosymtbl.la -rpath ${libdir} \
-version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \
${OBJS} ${LIBS}
-timestamp: libisc.@A@ libisc-nosymtbl.@A@
+timestamp: libisc-pkcs11.@A@ libisc-pkcs11-nosymtbl.@A@
touch timestamp
-testdirs: libisc.@A@ libisc-nosymtbl.@A@
+testdirs: libisc-pkcs11.@A@ libisc-pkcs11-nosymtbl.@A@
installdirs:
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${libdir}
install:: timestamp installdirs
- ${LIBTOOL_MODE_INSTALL} ${INSTALL_LIBRARY} libisc.@A@ ${DESTDIR}${libdir}
+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_LIBRARY} libisc-pkcs11.@A@ ${DESTDIR}${libdir}
uninstall::
- ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${libdir}/libisc.@A@
+ ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${libdir}/libisc-pkcs11.@A@
clean distclean::
- rm -f libisc.@A@ libisc-nosymtbl.@A@ libisc.la \
- libisc-nosymtbl.la timestamp
+ rm -f libisc-pkcs11.@A@ libisc-pkcs11-nosymtbl.@A@ libisc-pkcs11.la \
+ libisc-pkcs11-nosymtbl.la timestamp
diff --git a/make/includes.in b/make/includes.in
index fa86ad1..3cfbe9f 100644
--- a/make/includes.in
+++ b/make/includes.in
@@ -43,3 +43,13 @@ BIND9_INCLUDES = @BIND9_BIND9_BUILDINCLUDE@ \
TEST_INCLUDES = \
-I${top_srcdir}/lib/tests/include
+
+ISC_PKCS11_INCLUDES = @BIND9_ISC_BUILDINCLUDE@ \
+ -I${top_srcdir}/lib/isc-pkcs11 \
+ -I${top_srcdir}/lib/isc-pkcs11/include \
+ -I${top_srcdir}/lib/isc-pkcs11/unix/include \
+ -I${top_srcdir}/lib/isc-pkcs11/@ISC_THREAD_DIR@/include \
+ -I${top_srcdir}/lib/isc-pkcs11/@ISC_ARCH_DIR@/include
+
+DNS_PKCS11_INCLUDES = @BIND9_DNS_BUILDINCLUDE@ \
+ -I${top_srcdir}/lib/dns-pkcs11/include

310
SOURCES/bind-9.10-sdb.patch
Unescape Escape View File

@ -0,0 +1,310 @@
diff --git a/bin/Makefile.in b/bin/Makefile.in
index ce7a2da..4e6a824 100644
--- a/bin/Makefile.in
+++ b/bin/Makefile.in
@@ -11,8 +11,8 @@ srcdir = @srcdir@
VPATH = @srcdir@
top_srcdir = @top_srcdir@
-SUBDIRS = named named-pkcs11 rndc dig delv dnssec dnssec-pkcs11 tools nsupdate \
- check confgen @NZD_TOOLS@ @PYTHON_TOOLS@ @PKCS11_TOOLS@ tests
+SUBDIRS = named named-sdb named-pkcs11 rndc dig delv dnssec dnssec-pkcs11 tools nsupdate \
+ check confgen @NZD_TOOLS@ @PYTHON_TOOLS@ @PKCS11_TOOLS@ sdb_tools tests
TARGETS =
@BIND9_MAKE_RULES@
diff --git a/bin/named-sdb/Makefile.in b/bin/named-sdb/Makefile.in
index 03a72d5..4c1cb6d 100644
--- a/bin/named-sdb/Makefile.in
+++ b/bin/named-sdb/Makefile.in
@@ -30,10 +30,10 @@ VERSION=@BIND9_VERSION@
#
# Add database drivers here.
#
-DBDRIVER_OBJS =
-DBDRIVER_SRCS =
+DBDRIVER_OBJS = ldapdb.@O@ pgsqldb.@O@ sqlitedb.@O@ dirdb.@O@
+DBDRIVER_SRCS = ldapdb.c pgsqldb.c sqlitedb.c dirdb.c
DBDRIVER_INCLUDES =
-DBDRIVER_LIBS =
+DBDRIVER_LIBS = -lldap -llber -lsqlite3 -lpq
DLZ_DRIVER_DIR = ${top_srcdir}/contrib/dlz/drivers
@@ -80,7 +80,7 @@ NOSYMLIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \
SUBDIRS = unix
-TARGETS = named@EXEEXT@ lwresd@EXEEXT@
+TARGETS = named-sdb@EXEEXT@
GEOIPLINKOBJS = geoip.@O@
GEOIP2LINKOBJS = geoip.@O@
@@ -154,7 +154,7 @@ server.@O@: server.c
-DPRODUCT=\"${PRODUCT}\" \
-DVERSION=\"${VERSION}\" -c ${srcdir}/server.c
-named@EXEEXT@: ${OBJS} ${DEPLIBS}
+named-sdb@EXEEXT@: ${OBJS} ${DEPLIBS}
export MAKE_SYMTABLE="yes"; \
export BASEOBJS="${OBJS} ${UOBJS}"; \
${FINALBUILDCMD}
@@ -181,8 +181,6 @@ statschannel.@O@: bind9.xsl.h
installdirs:
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir}
- $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man5
- $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8
install-man5: named.conf.5
${INSTALL_DATA} $^ ${DESTDIR}${mandir}/man5
@@ -192,16 +190,11 @@ install-man8: named.8 lwresd.8
install-man: install-man5 install-man8
-install:: named@EXEEXT@ lwresd@EXEEXT@ installdirs install-man
- ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named@EXEEXT@ ${DESTDIR}${sbindir}
- (cd ${DESTDIR}${sbindir}; rm -f lwresd@EXEEXT@; @LN@ named@EXEEXT@ lwresd@EXEEXT@)
+install:: ${TARGETS} installdirs
+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named-sdb@EXEEXT@ ${DESTDIR}${sbindir}
uninstall::
- rm -f ${DESTDIR}${mandir}/man5/named.conf.5
- rm -f ${DESTDIR}${mandir}/man8/lwresd.8
- rm -f ${DESTDIR}${mandir}/man8/named.8
- rm -f ${DESTDIR}${sbindir}/lwresd@EXEEXT@
- ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/named@EXEEXT@
+ ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/named-sdb@EXEEXT@
@DLZ_DRIVER_RULES@
diff --git a/bin/named-sdb/main.c b/bin/named-sdb/main.c
index 108b8d6..a943421 100644
--- a/bin/named-sdb/main.c
+++ b/bin/named-sdb/main.c
@@ -93,6 +93,10 @@
* Include header files for database drivers here.
*/
/* #include "xxdb.h" */
+#include "ldapdb.h"
+#include "pgsqldb.h"
+#include "sqlitedb.h"
+#include "dirdb.h"
#ifdef CONTRIB_DLZ
/*
@@ -1069,6 +1073,11 @@ setup(void) {
ns_main_earlyfatal("isc_app_start() failed: %s",
isc_result_totext(result));
+ ldapdb_clear();
+ pgsqldb_clear();
+ dirdb_clear();
+ sqlitedb_clear();
+
isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
ISC_LOG_NOTICE, "starting %s %s%s%s <id:%s>",
ns_g_product, ns_g_version,
@@ -1269,6 +1278,75 @@ setup(void) {
isc_result_totext(result));
#endif
+ result = ldapdb_init();
+ if (result != ISC_R_SUCCESS)
+ {
+ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
+ ISC_LOG_ERROR,
+ "SDB ldap module initialisation failed: %s.",
+ isc_result_totext(result)
+ );
+ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
+ ISC_LOG_ERROR,
+ "SDB ldap zone database will be unavailable."
+ );
+ }else
+ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
+ ISC_LOG_NOTICE, "SDB ldap zone database module loaded."
+ );
+
+ result = pgsqldb_init();
+ if (result != ISC_R_SUCCESS)
+ {
+ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
+ ISC_LOG_ERROR,
+ "SDB pgsql module initialisation failed: %s.",
+ isc_result_totext(result)
+ );
+ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
+ ISC_LOG_ERROR,
+ "SDB pgsql zone database will be unavailable."
+ );
+ }else
+ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
+ ISC_LOG_NOTICE, "SDB postgreSQL DB zone database module loaded."
+ );
+
+ result = sqlitedb_init();
+ if (result != ISC_R_SUCCESS)
+ {
+ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
+ ISC_LOG_ERROR,
+ "SDB sqlite3 module initialisation failed: %s.",
+ isc_result_totext(result)
+ );
+ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
+ ISC_LOG_ERROR,
+ "SDB sqlite3 zone database will be unavailable."
+ );
+ }else
+ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
+ ISC_LOG_NOTICE, "SDB sqlite3 DB zone database module loaded."
+ );
+
+ result = dirdb_init();
+ if (result != ISC_R_SUCCESS)
+ {
+ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
+ ISC_LOG_ERROR,
+ "SDB directory DB module initialisation failed: %s.",
+ isc_result_totext(result)
+ );
+ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
+ ISC_LOG_ERROR,
+ "SDB directory DB zone database will be unavailable."
+ );
+ }else
+ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
+ ISC_LOG_NOTICE, "SDB directory DB zone database module loaded."
+ );
+
+
ns_server_create(ns_g_mctx, &ns_g_server);
#ifdef HAVE_LIBSECCOMP
@@ -1311,6 +1389,11 @@ cleanup(void) {
dns_name_destroy();
+ ldapdb_clear();
+ pgsqldb_clear();
+ sqlitedb_clear();
+ dirdb_clear();
+
isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
ISC_LOG_NOTICE, "exiting");
ns_log_shutdown();
diff --git a/bin/named/Makefile.in b/bin/named/Makefile.in
index 03a72d5..47cc046 100644
--- a/bin/named/Makefile.in
+++ b/bin/named/Makefile.in
@@ -45,10 +45,10 @@ DLZDRIVER_LIBS = @DLZ_DRIVER_LIBS@
CINCLUDES = -I${srcdir}/include -I${srcdir}/unix/include -I. \
${LWRES_INCLUDES} ${DNS_INCLUDES} ${BIND9_INCLUDES} \
${ISCCFG_INCLUDES} ${ISCCC_INCLUDES} ${ISC_INCLUDES} \
- ${DLZDRIVER_INCLUDES} ${DBDRIVER_INCLUDES} ${MAXMINDDB_CFLAGS} \
+ ${MAXMINDDB_CFLAGS} \
@DST_OPENSSL_INC@
-CDEFINES = @CONTRIB_DLZ@ @USE_GSSAPI@ @CRYPTO@
+CDEFINES = @USE_GSSAPI@ @CRYPTO@
CWARNINGS =
@@ -72,11 +72,11 @@ DEPLIBS = ${LWRESDEPLIBS} ${DNSDEPLIBS} ${BIND9DEPLIBS} \
LIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \
${ISCCFGLIBS} ${ISCCCLIBS} ${ISCLIBS} \
- ${DLZDRIVER_LIBS} ${DBDRIVER_LIBS} @LIBS@
+ @LIBS@
NOSYMLIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \
${ISCCFGLIBS} ${ISCCCLIBS} ${ISCNOSYMLIBS} \
- ${DLZDRIVER_LIBS} ${DBDRIVER_LIBS} @LIBS@
+ @LIBS@
SUBDIRS = unix
@@ -94,8 +94,7 @@ OBJS = builtin.@O@ client.@O@ config.@O@ control.@O@ \
tkeyconf.@O@ tsigconf.@O@ update.@O@ xfrout.@O@ \
zoneconf.@O@ \
lwaddr.@O@ lwresd.@O@ lwdclient.@O@ lwderror.@O@ lwdgabn.@O@ \
- lwdgnba.@O@ lwdgrbn.@O@ lwdnoop.@O@ lwsearch.@O@ \
- ${DLZDRIVER_OBJS} ${DBDRIVER_OBJS}
+ lwdgnba.@O@ lwdgrbn.@O@ lwdnoop.@O@ lwsearch.@O@
UOBJS = unix/os.@O@ unix/dlz_dlopen_driver.@O@
@@ -113,8 +112,7 @@ SRCS = builtin.c client.c config.c control.c \
tkeyconf.c tsigconf.c update.c xfrout.c \
zoneconf.c \
lwaddr.c lwresd.c lwdclient.c lwderror.c lwdgabn.c \
- lwdgnba.c lwdgrbn.c lwdnoop.c lwsearch.c \
- ${DLZDRIVER_SRCS} ${DBDRIVER_SRCS}
+ lwdgnba.c lwdgrbn.c lwdnoop.c lwsearch.c
MANPAGES = named.8 lwresd.8 named.conf.5
@@ -203,7 +201,5 @@ uninstall::
rm -f ${DESTDIR}${sbindir}/lwresd@EXEEXT@
${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/named@EXEEXT@
-@DLZ_DRIVER_RULES@
-
named-symtbl.@O@: named-symtbl.c
${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -c named-symtbl.c
diff --git a/bin/sdb_tools/Makefile.in b/bin/sdb_tools/Makefile.in
index c7e0868..95ab742 100644
--- a/bin/sdb_tools/Makefile.in
+++ b/bin/sdb_tools/Makefile.in
@@ -32,11 +32,11 @@ DEPLIBS = ${LWRESDEPLIBS} ${DNSDEPLIBS} ${BIND9DEPLIBS} \
LIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \
${ISCCFGLIBS} ${ISCCCLIBS} ${ISCLIBS} ${DBDRIVER_LIBS} @LIBS@
-TARGETS = zone2ldap@EXEEXT@ zonetodb@EXEEXT@
+TARGETS = zone2ldap@EXEEXT@ zonetodb@EXEEXT@ zone2sqlite@EXEEXT@
-OBJS = zone2ldap.@O@ zonetodb.@O@
+OBJS = zone2ldap.@O@ zonetodb.@O@ zone2sqlite.@O@
-SRCS = zone2ldap.c zonetodb.c
+SRCS = zone2ldap.c zonetodb.c zone2sqlite.c
MANPAGES = zone2ldap.1
@@ -50,6 +50,9 @@ zone2ldap@EXEEXT@: zone2ldap.@O@ ${DEPLIBS}
zonetodb@EXEEXT@: zonetodb.@O@ ${DEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ zonetodb.@O@ -lpq ${LIBS}
+zone2sqlite@EXEEXT@: zone2sqlite.@O@ ${DEPLIBS}
+ ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o $@ zone2sqlite.@O@ -lsqlite3 -lssl ${LIBS}
+
clean distclean manclean maintainer-clean::
rm -f ${TARGETS} ${OBJS}
@@ -60,4 +63,5 @@ installdirs:
install:: ${TARGETS} installdirs
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} zone2ldap@EXEEXT@ ${DESTDIR}${sbindir}
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} zonetodb@EXEEXT@ ${DESTDIR}${sbindir}
+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} zone2sqlite@EXEEXT@ ${DESTDIR}${sbindir}
${INSTALL_DATA} ${srcdir}/zone2ldap.1 ${DESTDIR}${mandir}/man1/zone2ldap.1
diff --git a/configure.ac b/configure.ac
index eff9f05..d05ad1f 100644
--- a/configure.ac
+++ b/configure.ac
@@ -5429,6 +5429,8 @@ AC_CONFIG_FILES([
bin/named/unix/Makefile
bin/named-pkcs11/Makefile
bin/named-pkcs11/unix/Makefile
+ bin/named-sdb/Makefile
+ bin/named-sdb/unix/Makefile
bin/nsupdate/Makefile
bin/pkcs11/Makefile
bin/python/Makefile
@@ -5453,6 +5455,7 @@ AC_CONFIG_FILES([
bin/python/isc/tests/dnskey_test.py
bin/python/isc/tests/policy_test.py
bin/rndc/Makefile
+ bin/sdb_tools/Makefile
bin/tests/Makefile
bin/tests/headerdep_test.sh
bin/tests/optional/Makefile

18
SOURCES/bind-9.10-use-of-strlcat.patch
Unescape Escape View File

@ -0,0 +1,18 @@
diff --git a/bin/sdb_tools/zone2ldap.c b/bin/sdb_tools/zone2ldap.c
index d56bc56..99c3314 100644
--- a/bin/sdb_tools/zone2ldap.c
+++ b/bin/sdb_tools/zone2ldap.c
@@ -817,11 +817,11 @@ build_dn_from_dc_list (char **dc_list, unsigned int ttl, int flag, char *zone)
}
- strlcat (dn, tmp, sizeof (dn));
+ strncat (dn, tmp, sizeof (dn) - strlen (dn));
}
sprintf (tmp, "dc=%s", dc_list[0]);
- strlcat (dn, tmp, sizeof (dn));
+ strncat (dn, tmp, sizeof (dn) - strlen (dn));
fflush(NULL);
return dn;

292
SOURCES/bind-9.11-CVE-2020-8616-test.patch
Unescape Escape View File

@ -0,0 +1,292 @@
From a64853318ade406ef0db744918bb2828cf0a6247 Mon Sep 17 00:00:00 2001
From: Stephen Morris <stephen@isc.org>
Date: Thu, 5 Mar 2020 18:46:46 +0000
Subject: [PATCH] Add test for reduction in number of fetches
Add a system test that counts how many address fetches are made
for different numbers of NS records and checks that the number
are successfully limited.
(cherry picked from commit 5fb65f45443225180296b361a12be0fead5049f2)
---
bin/tests/system/resolver/clean.sh | 4 +-
bin/tests/system/resolver/ns4/named.conf.in | 5 ++
bin/tests/system/resolver/ns4/root.db | 4 +
bin/tests/system/resolver/ns4/sourcens.db | 89 +++++++++++++++++++++
bin/tests/system/resolver/ns5/named.conf.in | 9 ++-
bin/tests/system/resolver/ns6/named.conf.in | 15 ++++
bin/tests/system/resolver/ns6/targetns.db | 23 ++++++
bin/tests/system/resolver/tests.sh | 34 ++++++++
8 files changed, 180 insertions(+), 3 deletions(-)
create mode 100644 bin/tests/system/resolver/ns4/sourcens.db
create mode 100644 bin/tests/system/resolver/ns6/targetns.db
diff --git a/bin/tests/system/resolver/clean.sh b/bin/tests/system/resolver/clean.sh
index 4dfde1f3e7..b3e4bc0b5d 100644
--- a/bin/tests/system/resolver/clean.sh
+++ b/bin/tests/system/resolver/clean.sh
@@ -17,8 +17,7 @@ rm -f */named.memstats
rm -f */named.run
rm -f */ans.run
rm -f */*.jdb
-rm -f dig.out dig.out.*
-rm -f dig.*.out.*
+rm -f dig.out dig.out.* dig.*.out.*
rm -f dig.*.foo.*
rm -f dig.*.bar.*
rm -f dig.*.prime.*
@@ -28,6 +27,7 @@ rm -f ns6/example.net.db.signed ns6/example.net.db
rm -f ns6/ds.example.net.db.signed ns6/ds.example.net.db
rm -f ns6/dsset-ds.example.net*
rm -f ns6/dsset-example.net* ns6/example.net.db.signed.jnl
+rm -f ns6/named.stats*
rm -f ns6/to-be-removed.tld.db ns6/to-be-removed.tld.db.jnl
rm -f ns7/server.db ns7/server.db.jnl
rm -f resolve.out.*.test*
diff --git a/bin/tests/system/resolver/ns4/named.conf.in b/bin/tests/system/resolver/ns4/named.conf.in
index c679dc3151..56fe5d0dd8 100644
--- a/bin/tests/system/resolver/ns4/named.conf.in
+++ b/bin/tests/system/resolver/ns4/named.conf.in
@@ -50,6 +50,11 @@ zone "broken" {
file "broken.db";
};
+zone "sourcens" {
+ type master;
+ file "sourcens.db";
+};
+
key rndc_key {
secret "1234abcd8765";
algorithm hmac-sha256;
diff --git a/bin/tests/system/resolver/ns4/root.db b/bin/tests/system/resolver/ns4/root.db
index 721765d1be..ae541340da 100644
--- a/bin/tests/system/resolver/ns4/root.db
+++ b/bin/tests/system/resolver/ns4/root.db
@@ -24,3 +24,7 @@ example.net. NS ns.example.net.
ns.example.net. A 10.53.0.6
no-questions. NS ns.no-questions.
ns.no-questions. A 10.53.0.8
+sourcens. NS ns.sourcens.
+ns.sourcens. A 10.53.0.4
+targetns. NS ns.targetns.
+ns.targetns. A 10.53.0.6
diff --git a/bin/tests/system/resolver/ns4/sourcens.db b/bin/tests/system/resolver/ns4/sourcens.db
new file mode 100644
index 0000000000..b02cc6e835
--- /dev/null
+++ b/bin/tests/system/resolver/ns4/sourcens.db
@@ -0,0 +1,89 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+; This zone contains a set of delegations with varying numbers of NS
+; records. This is used to check that BIND is limiting the number of
+; NS records it follows when resolving a delegation. It tests all
+; numbers of NS records up to twice the number followed.
+
+$TTL 60
+@ IN SOA marka.isc.org. ns.server. (
+ 2010 ; serial
+ 600 ; refresh
+ 600 ; retry
+ 1200 ; expire
+ 600 ; minimum
+ )
+@ NS ns
+ns A 10.53.0.4
+
+target1 NS ns.fake11.targetns.
+
+target2 NS ns.fake21.targetns.
+ NS ns.fake22.targetns.
+
+target3 NS ns.fake31.targetns.
+ NS ns.fake32.targetns.
+ NS ns.fake33.targetns.
+
+target4 NS ns.fake41.targetns.
+ NS ns.fake42.targetns.
+ NS ns.fake43.targetns.
+ NS ns.fake44.targetns.
+
+target5 NS ns.fake51.targetns.
+ NS ns.fake52.targetns.
+ NS ns.fake53.targetns.
+ NS ns.fake54.targetns.
+ NS ns.fake55.targetns.
+
+target6 NS ns.fake61.targetns.
+ NS ns.fake62.targetns.
+ NS ns.fake63.targetns.
+ NS ns.fake64.targetns.
+ NS ns.fake65.targetns.
+ NS ns.fake66.targetns.
+
+target7 NS ns.fake71.targetns.
+ NS ns.fake72.targetns.
+ NS ns.fake73.targetns.
+ NS ns.fake74.targetns.
+ NS ns.fake75.targetns.
+ NS ns.fake76.targetns.
+ NS ns.fake77.targetns.
+
+target8 NS ns.fake81.targetns.
+ NS ns.fake82.targetns.
+ NS ns.fake83.targetns.
+ NS ns.fake84.targetns.
+ NS ns.fake85.targetns.
+ NS ns.fake86.targetns.
+ NS ns.fake87.targetns.
+ NS ns.fake88.targetns.
+
+target9 NS ns.fake91.targetns.
+ NS ns.fake92.targetns.
+ NS ns.fake93.targetns.
+ NS ns.fake94.targetns.
+ NS ns.fake95.targetns.
+ NS ns.fake96.targetns.
+ NS ns.fake97.targetns.
+ NS ns.fake98.targetns.
+ NS ns.fake99.targetns.
+
+target10 NS ns.fake101.targetns.
+ NS ns.fake102.targetns.
+ NS ns.fake103.targetns.
+ NS ns.fake104.targetns.
+ NS ns.fake105.targetns.
+ NS ns.fake106.targetns.
+ NS ns.fake107.targetns.
+ NS ns.fake108.targetns.
+ NS ns.fake109.targetns.
+ NS ns.fake1010.targetns.
diff --git a/bin/tests/system/resolver/ns5/named.conf.in b/bin/tests/system/resolver/ns5/named.conf.in
index 07205c9938..90818e4556 100644
--- a/bin/tests/system/resolver/ns5/named.conf.in
+++ b/bin/tests/system/resolver/ns5/named.conf.in
@@ -46,4 +46,11 @@ zone "delegation-only" {
type delegation-only;
};
-include "trusted.conf";
+key rndc_key {
+ secret "1234abcd8765";
+ algorithm hmac-sha256;
+};
+
+controls {
+ inet 10.53.0.5 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
diff --git a/bin/tests/system/resolver/ns6/named.conf.in b/bin/tests/system/resolver/ns6/named.conf.in
index 7df48558b8..4b01f9ba14 100644
--- a/bin/tests/system/resolver/ns6/named.conf.in
+++ b/bin/tests/system/resolver/ns6/named.conf.in
@@ -22,6 +22,7 @@ options {
recursion no;
// minimal-responses yes;
querylog yes;
+ statistics-file "named.stats";
/*
* test that named loads with root-delegation-only that
* has a exclude list.
@@ -67,3 +68,17 @@ zone "delegation-only" {
type master;
file "delegation-only.db";
};
+
+zone "targetns" {
+ type master;
+ file "targetns.db";
+};
+
+key rndc_key {
+ secret "1234abcd8765";
+ algorithm hmac-sha256;
+};
+
+controls {
+ inet 10.53.0.6 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
diff --git a/bin/tests/system/resolver/ns6/targetns.db b/bin/tests/system/resolver/ns6/targetns.db
new file mode 100644
index 0000000000..036e64580b
--- /dev/null
+++ b/bin/tests/system/resolver/ns6/targetns.db
@@ -0,0 +1,23 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+; In the test for checking how many NS records BIND will follow, this
+; zone marks the server as the one to which the NS lookups will be
+; directed.
+
+$TTL 300
+@ IN SOA marka.isc.org. ns.server. (
+ 2010 ; serial
+ 600 ; refresh
+ 600 ; retry
+ 1200 ; expire
+ 600 ; minimum
+ )
+ NS ns
+ns A 10.53.0.6
diff --git a/bin/tests/system/resolver/tests.sh b/bin/tests/system/resolver/tests.sh
index 12d2819e30..178ba4d79b 100755
--- a/bin/tests/system/resolver/tests.sh
+++ b/bin/tests/system/resolver/tests.sh
@@ -247,6 +247,40 @@ if [ -x ${RESOLVE} ] ; then
status=`expr $status + $ret`
fi
+n=`expr $n + 1`
+echo_i "check that the resolver limits the number of NS records it follows in a referral response ($n)"
+# ns5 is the recusor being tested. ns4 holds the sourcens zone containing names with varying numbers of NS
+# records pointing to non-existent nameservers in the targetns zone on ns6.
+ret=0
+$RNDCCMD 10.53.0.5 flush || ret=1 # Ensure cache is empty before doing this test
+for nscount in 1 2 3 4 5 6 7 8 9 10
+do
+ # Verify number of NS records at source server
+ $DIG $DIGOPTS +norecurse @10.53.0.4 target${nscount}.sourcens ns > dig.ns4.out.${nscount}.${n}
+ sourcerecs=`grep NS dig.ns4.out.${nscount}.${n} | grep -v ';' | wc -l`
+ test $sourcerecs -eq $nscount || ret=1
+ test $sourcerecs -eq $nscount || echo_i "NS count incorrect for target${nscount}.sourcens"
+ # Expected queries = 2 * number of NS records, up to a maximum of 10.
+ expected=`expr 2 \* $nscount`
+ if [ $expected -gt 10 ]; then expected=10; fi
+ # Work out the queries made by checking statistics on the target before and after the test
+ $RNDCCMD 10.53.0.6 stats || ret=1
+ initial_count=`awk '/responses sent/ {print $1}' ns6/named.stats`
+ mv ns6/named.stats ns6/named.stats.initial.${nscount}.${n}
+ $DIG $DIGOPTS @10.53.0.5 target${nscount}.sourcens A > dig.ns5.out.${nscount}.${n} || ret=1
+ $RNDCCMD 10.53.0.6 stats || ret=1
+ final_count=`awk '/responses sent/ {print $1}' ns6/named.stats`
+ mv ns6/named.stats ns6/named.stats.final.${nscount}.${n}
+ # Check number of queries during the test is as expected
+ actual=`expr $final_count - $initial_count`
+ if [ $actual -ne $expected ]; then
+ echo_i "query count error: $nscount NS records: expected queries $expected, actual $actual"
+ ret=1
+ fi
+done
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
n=`expr $n + 1`
echo_i "RT21594 regression test check setup ($n)"
ret=0
--
2.21.1

78
SOURCES/bind-9.11-CVE-2020-8617-test.patch
Unescape Escape View File

@ -0,0 +1,78 @@
From eee06b7744c4999ec3c7cb0654f97a9b4c79f77f Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Wed, 25 Mar 2020 17:44:51 +1100
Subject: [PATCH] Check that a 'BADTIME' response with 'QR=0' is handled as a
request
(cherry picked from commit 67ba3f8f3ab2a748dff1e8a2029fde3bc84ec3f1)
---
bin/tests/system/tsig/badtime | 37 ++++++++++++++++++++++++++++++++++
bin/tests/system/tsig/tests.sh | 9 +++++++++
2 files changed, 46 insertions(+)
create mode 100644 bin/tests/system/tsig/badtime
diff --git a/bin/tests/system/tsig/badtime b/bin/tests/system/tsig/badtime
new file mode 100644
index 0000000000..7926404cfb
--- /dev/null
+++ b/bin/tests/system/tsig/badtime
@@ -0,0 +1,37 @@
+# Transaction ID
+1122
+# Standard query
+0000
+# Questions: 1, Additional: 1
+0001 0000 0000 0001
+# QNAME: isc.org
+03 69 73 63 03 6F 72 67 00
+# Type: A (Host Address)
+0001
+# Class: IN
+0001
+# Specially crafted TSIG Resource Record
+# Name: "sha256"
+06 73 68 61 32 35 36 00
+# Type: TSIG (Transaction Signature)
+00fa
+# Class: ANY
+00ff
+# TTL: 0
+00000000
+# RdLen: 29
+001d
+# Algorithm Name: hmac-sha256
+0b 68 6D 61 63 2D 73 68 61 32 35 36 00
+# Time Signed: Jan 1, 1970 01:00:00.000000000 CET
+00 00 00 00 00 00
+# Fudge: 300
+012c
+# MAC Size: 0; MAC: empty
+0000
+# Original ID: 0
+0000
+# Error: BADSIG
+0010
+# Other Data Length: 0
+0000
diff --git a/bin/tests/system/tsig/tests.sh b/bin/tests/system/tsig/tests.sh
index cade35bc1d..284aea1056 100644
--- a/bin/tests/system/tsig/tests.sh
+++ b/bin/tests/system/tsig/tests.sh
@@ -233,5 +233,14 @@ if [ $ret -eq 1 ] ; then
echo "I: failed"; status=1
fi
+echo_i "check that a 'BADTIME' response with 'QR=0' is handled as a request"
+ret=0
+$PERL ../packet.pl -a 10.53.0.1 -p ${PORT} -t tcp < badtime > /dev/null
+$DIG -p ${PORT} @10.53.0.1 version.bind txt ch > dig.out.verify || ret=1
+grep "status: NOERROR" dig.out.verify > /dev/null || ret=1
+if [ $ret -eq 1 ] ; then
+ echo_i "failed"; status=1
+fi
+
echo_i "exit status: $status"
[ $status -eq 0 ] || exit 1
--
2.21.1

171
SOURCES/bind-9.11-dhcp-time-monotonic.patch
Unescape Escape View File

@ -0,0 +1,171 @@
diff --git a/lib/isc/include/isc/result.h b/lib/isc/include/isc/result.h
index 0389efa..149cde5 100644
--- a/lib/isc/include/isc/result.h
+++ b/lib/isc/include/isc/result.h
@@ -89,7 +89,8 @@
#define ISC_R_DISCFULL 67 /*%< disc full */
#define ISC_R_DEFAULT 68 /*%< default */
#define ISC_R_IPV4PREFIX 69 /*%< IPv4 prefix */
-#define ISC_R_NRESULTS 70
+#define ISC_R_TIMESHIFTED 70 /*%< system time changed */
+#define ISC_R_NRESULTS 71
ISC_LANG_BEGINDECLS
diff --git a/lib/isc/include/isc/util.h b/lib/isc/include/isc/util.h
index 973c348..cceeb5e 100644
--- a/lib/isc/include/isc/util.h
+++ b/lib/isc/include/isc/util.h
@@ -289,6 +289,10 @@ extern void mock_assert(const int result, const char* const expression,
* Time
*/
#define TIME_NOW(tp) RUNTIME_CHECK(isc_time_now((tp)) == ISC_R_SUCCESS)
+#ifdef CLOCK_BOOTTIME
+#define TIME_MONOTONIC(tp) RUNTIME_CHECK(isc_time_boottime((tp)) == ISC_R_SUCCESS)
+#endif
+
/*%
* Alignment
diff --git a/lib/isc/result.c b/lib/isc/result.c
index a9db132..f33fc6b 100644
--- a/lib/isc/result.c
+++ b/lib/isc/result.c
@@ -105,6 +105,7 @@ static const char *description[ISC_R_NRESULTS] = {
"disc full", /*%< 67 */
"default", /*%< 68 */
"IPv4 prefix", /*%< 69 */
+ "time changed", /*%< 70 */
};
static const char *identifier[ISC_R_NRESULTS] = {
@@ -178,6 +179,7 @@ static const char *identifier[ISC_R_NRESULTS] = {
"ISC_R_DISCFULL",
"ISC_R_DEFAULT",
"ISC_R_IPV4PREFIX",
+ "ISC_R_TIMESHIFTED",
};
#define ISC_RESULT_RESULTSET 2
diff --git a/lib/isc/unix/app.c b/lib/isc/unix/app.c
index a6e9882..286fe95 100644
--- a/lib/isc/unix/app.c
+++ b/lib/isc/unix/app.c
@@ -442,15 +442,47 @@ isc__app_ctxonrun(isc_appctx_t *ctx0, isc_mem_t *mctx, isc_task_t *task,
static isc_result_t
evloop(isc__appctx_t *ctx) {
isc_result_t result;
+ isc_time_t now;
+#ifdef CLOCK_BOOTTIME
+ isc_time_t monotonic;
+ isc_uint64_t diff = 0;
+#else
+ isc_time_t prev;
+ TIME_NOW(&prev);
+#endif
while (!ctx->want_shutdown) {
int n;
- isc_time_t when, now;
+ isc_time_t when;
struct timeval tv, *tvp;
isc_socketwait_t *swait;
bool readytasks;
bool call_timer_dispatch = false;
+ uint64_t us;
+
+#ifdef CLOCK_BOOTTIME
+ // TBD macros for following three lines
+ TIME_NOW(&now);
+ TIME_MONOTONIC(&monotonic);
+ INSIST(now.seconds > monotonic.seconds)
+ us = isc_time_microdiff (&now, &monotonic);
+ if (us < diff){
+ us = diff - us;
+ if (us > 1000000){ // ignoring shifts less than one second
+ return ISC_R_TIMESHIFTED;
+ };
+ diff = isc_time_microdiff (&now, &monotonic);
+ } else {
+ diff = isc_time_microdiff (&now, &monotonic);
+ // not implemented
+ }
+#else
+ TIME_NOW(&now);
+ if (isc_time_compare (&now, &prev) < 0)
+ return ISC_R_TIMESHIFTED;
+ TIME_NOW(&prev);
+#endif
/*
* Check the reload (or suspend) case first for exiting the
* loop as fast as possible in case:
@@ -475,7 +507,6 @@ evloop(isc__appctx_t *ctx) {
if (result != ISC_R_SUCCESS)
tvp = NULL;
else {
- uint64_t us;
TIME_NOW(&now);
us = isc_time_microdiff(&when, &now);
diff --git a/lib/isc/unix/include/isc/time.h b/lib/isc/unix/include/isc/time.h
index b864c29..5dd43c9 100644
--- a/lib/isc/unix/include/isc/time.h
+++ b/lib/isc/unix/include/isc/time.h
@@ -132,6 +132,26 @@ isc_time_isepoch(const isc_time_t *t);
*\li 't' is a valid pointer.
*/
+#ifdef CLOCK_BOOTTIME
+isc_result_t
+isc_time_boottime(isc_time_t *t);
+/*%<
+ * Set 't' to monotonic time from previous boot
+ * it's not affected by system time change. It also
+ * includes the time system was suspended
+ *
+ * Requires:
+ *\li 't' is a valid pointer.
+ *
+ * Returns:
+ *
+ *\li Success
+ *\li Unexpected error
+ * Getting the time from the system failed.
+ */
+#endif /* CLOCK_BOOTTIME */
+
+
isc_result_t
isc_time_now(isc_time_t *t);
/*%<
diff --git a/lib/isc/unix/time.c b/lib/isc/unix/time.c
index 8edc9df..fe0bb91 100644
--- a/lib/isc/unix/time.c
+++ b/lib/isc/unix/time.c
@@ -498,3 +498,25 @@ isc_time_formatISO8601ms(const isc_time_t *t, char *buf, unsigned int len) {
t->nanoseconds / NS_PER_MS);
}
}
+
+
+#ifdef CLOCK_BOOTTIME
+isc_result_t
+isc_time_boottime(isc_time_t *t) {
+ struct timespec ts;
+
+ char strbuf[ISC_STRERRORSIZE];
+
+ if (clock_gettime (CLOCK_BOOTTIME, &ts) != 0){
+ isc__strerror(errno, strbuf, sizeof(strbuf));
+ UNEXPECTED_ERROR(__FILE__, __LINE__, "%s", strbuf);
+ return (ISC_R_UNEXPECTED);
+ }
+
+ t->seconds = ts.tv_sec;
+ t->nanoseconds = ts.tv_nsec;
+
+ return (ISC_R_SUCCESS);
+
+};
+#endif

27
SOURCES/bind-9.11-engine-pkcs11.patch
Unescape Escape View File

@ -0,0 +1,27 @@
From 37f89ccfc439f8d86c401d9ae10e94e53b924961 Mon Sep 17 00:00:00 2001
From: Petr Mensik <pemensik@redhat.com>
Date: Tue, 27 Aug 2019 20:39:59 +0200
Subject: [PATCH] Do not set engine for native PKCS11
It resets already set lib_path to pkcs11, which is invalid in native
pkcs11 crypto. Engine has to be path to PKCS#11 module.
---
bin/named/include/named/globals.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/bin/named/include/named/globals.h b/bin/named/include/named/globals.h
index eda2214..2a611d5 100644
--- a/bin/named/include/named/globals.h
+++ b/bin/named/include/named/globals.h
@@ -160,7 +160,7 @@ EXTERN const char * ns_g_defaultdnstap INIT(NULL);
EXTERN const char * ns_g_username INIT(NULL);
-#if defined(USE_PKCS11)
+#if defined(USE_PKCS11) && !defined(PKCS11CRYPTO)
EXTERN const char * ns_g_engine INIT(PKCS11_ENGINE);
#else
EXTERN const char * ns_g_engine INIT(NULL);
--
2.20.1

35
SOURCES/bind-9.11-export-isc-config.patch
Unescape Escape View File

@ -0,0 +1,35 @@
diff --git a/export-libs/Makefile b/export-libs/Makefile
index df15ea8..13f416b 100644
--- a/export-libs/Makefile
+++ b/export-libs/Makefile
@@ -404,20 +404,18 @@ installdirs:
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man1
install:: isc-config.sh installdirs
- ${INSTALL_SCRIPT} isc-config.sh ${DESTDIR}${bindir}
- rm -f ${DESTDIR}${bindir}/bind9-config
- ln ${DESTDIR}${bindir}/isc-config.sh ${DESTDIR}${bindir}/bind9-config
- ${INSTALL_DATA} ${top_srcdir}/isc-config.sh.1 ${DESTDIR}${mandir}/man1
- rm -f ${DESTDIR}${mandir}/man1/bind9-config.1
- ln ${DESTDIR}${mandir}/man1/isc-config.sh.1 ${DESTDIR}${mandir}/man1/bind9-config.1
- ${INSTALL_DATA} ${top_srcdir}/bind.keys ${DESTDIR}${sysconfdir}
+ ${INSTALL_SCRIPT} isc-config.sh ${DESTDIR}${bindir}/isc-export-config.sh
+ rm -f ${DESTDIR}${bindir}/bind9-export-config
+ ln ${DESTDIR}${bindir}/isc-export-config.sh ${DESTDIR}${bindir}/bind9-export-config
+ ${INSTALL_DATA} ${top_srcdir}/isc-config.sh.1 ${DESTDIR}${mandir}/man1/isc-export-config.sh.1
+ rm -f ${DESTDIR}${mandir}/man1/bind9-export-config.1
+ ln ${DESTDIR}${mandir}/man1/isc-export-config.sh.1 ${DESTDIR}${mandir}/man1/bind9-export-config.1
uninstall::
- rm -f ${DESTDIR}${sysconfdir}/bind.keys
- rm -f ${DESTDIR}${mandir}/man1/bind9-config.1
- rm -f ${DESTDIR}${mandir}/man1/isc-config.sh.1
- rm -f ${DESTDIR}${bindir}/bind9-config
- rm -f ${DESTDIR}${bindir}/isc-config.sh
+ rm -f ${DESTDIR}${mandir}/man1/bind9-export-config.1
+ rm -f ${DESTDIR}${mandir}/man1/isc-export-config.sh.1
+ rm -f ${DESTDIR}${bindir}/bind9-export-config
+ rm -f ${DESTDIR}${bindir}/isc-export-config.sh
tags:
rm -f TAGS

39
SOURCES/bind-9.11-export-suffix.patch
Unescape Escape View File

@ -0,0 +1,39 @@
diff --git a/configure.ac b/configure.ac
index c1bfd62..7c5ad51 100644
--- a/configure.ac
+++ b/configure.ac
@@ -5333,6 +5333,8 @@ AC_SUBST(BUILD_CPPFLAGS)
AC_SUBST(BUILD_LDFLAGS)
AC_SUBST(BUILD_LIBS)
+AC_SUBST(LIBDIR_SUFFIX)
+
#
# Commands to run at the end of config.status.
# Don't just put these into configure, it won't work right if somebody
diff --git a/isc-config.sh.in b/isc-config.sh.in
index b5e94ed..d2857e0 100644
--- a/isc-config.sh.in
+++ b/isc-config.sh.in
@@ -13,16 +13,17 @@ prefix=@prefix@
exec_prefix=@exec_prefix@
exec_prefix_set=
includedir=@includedir@
+libdir_suffix=@LIBDIR_SUFFIX@
arch=$(uname -m)
case $arch in
x86_64 | amd64 | sparc64 | s390x | ppc64)
- libdir=/usr/lib64
- sec_libdir=/usr/lib
+ libdir=/usr/lib64${libdir_suffix}
+ sec_libdir=/usr/lib${libdir_suffix}
;;
* )
- libdir=/usr/lib
- sec_libdir=/usr/lib64
+ libdir=/usr/lib${libdir_suffix}
+ sec_libdir=/usr/lib64${libdir_suffix}
;;
esac

39
SOURCES/bind-9.11-fips-code-includes.patch
Unescape Escape View File

@ -0,0 +1,39 @@
From 68baeb7211ba2fcd4eff53d987e9b70ba38294cb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
Date: Thu, 20 Dec 2018 11:52:12 +0100
Subject: [PATCH] Fix implicit declaration warning
isc_md5_available() function is not declared before its use. Include
header providing it in files that use it.
---
bin/tests/system/tkey/keydelete.c | 1 +
lib/dns/tsig.c | 1 +
2 files changed, 2 insertions(+)
diff --git a/bin/tests/system/tkey/keydelete.c b/bin/tests/system/tkey/keydelete.c
index 36ee6c7..6051cd2 100644
--- a/bin/tests/system/tkey/keydelete.c
+++ b/bin/tests/system/tkey/keydelete.c
@@ -21,6 +21,7 @@
#include <isc/hash.h>
#include <isc/log.h>
#include <isc/mem.h>
+#include <isc/md5.h>
#include <isc/print.h>
#include <isc/sockaddr.h>
#include <isc/socket.h>
diff --git a/lib/dns/tsig.c b/lib/dns/tsig.c
index 70805bb..33870f3 100644
--- a/lib/dns/tsig.c
+++ b/lib/dns/tsig.c
@@ -18,6 +18,7 @@
#include <isc/buffer.h>
#include <isc/mem.h>
+#include <isc/md5.h>
#include <isc/print.h>
#include <isc/refcount.h>
#include <isc/serial.h>
--
2.14.5

1459
SOURCES/bind-9.11-fips-code.patch
View File

File diff suppressed because it is too large Load Diff

121
SOURCES/bind-9.11-fips-disable.patch
Unescape Escape View File

@ -0,0 +1,121 @@
From 83b889c238282b210f874a3ad81bb56299767495 Mon Sep 17 00:00:00 2001
From: Petr Mensik <pemensik@redhat.com>
Date: Mon, 5 Aug 2019 11:54:03 +0200
Subject: [PATCH] Allow explicit disabling of autodisabled MD5
Default security policy might include explicitly disabled RSAMD5
algorithm. Current FIPS code automatically disables in FIPS mode. But if
RSAMD5 is included in security policy, it fails to start, because that
algorithm is not recognized. Allow it disabled, but fail on any
other usage.
---
bin/named/server.c | 4 ++--
lib/bind9/check.c | 4 ++++
lib/dns/rcode.c | 33 +++++++++++++++------------------
3 files changed, 21 insertions(+), 20 deletions(-)
diff --git a/bin/named/server.c b/bin/named/server.c
index 5b57371..51702ab 100644
--- a/bin/named/server.c
+++ b/bin/named/server.c
@@ -1547,12 +1547,12 @@ disable_algorithms(const cfg_obj_t *disabled, dns_resolver_t *resolver) {
r.length = strlen(r.base);
result = dns_secalg_fromtext(&alg, &r);
- if (result != ISC_R_SUCCESS) {
+ if (result != ISC_R_SUCCESS && result != ISC_R_DISABLED) {
uint8_t ui;
result = isc_parse_uint8(&ui, r.base, 10);
alg = ui;
}
- if (result != ISC_R_SUCCESS) {
+ if (result != ISC_R_SUCCESS && result != ISC_R_DISABLED) {
cfg_obj_log(cfg_listelt_value(element),
ns_g_lctx, ISC_LOG_ERROR,
"invalid algorithm");
diff --git a/lib/bind9/check.c b/lib/bind9/check.c
index e0803d4..8023784 100644
--- a/lib/bind9/check.c
+++ b/lib/bind9/check.c
@@ -302,6 +302,10 @@ disabled_algorithms(const cfg_obj_t *disabled, isc_log_t *logctx) {
r.length = strlen(r.base);
tresult = dns_secalg_fromtext(&alg, &r);
+ if (tresult == ISC_R_DISABLED) {
+ // Recognize disabled algorithms, disable it explicitly
+ tresult = ISC_R_SUCCESS;
+ }
if (tresult != ISC_R_SUCCESS) {
cfg_obj_log(cfg_listelt_value(element), logctx,
ISC_LOG_ERROR, "invalid algorithm '%s'",
diff --git a/lib/dns/rcode.c b/lib/dns/rcode.c
index f51d548..c49b8d1 100644
--- a/lib/dns/rcode.c
+++ b/lib/dns/rcode.c
@@ -126,7 +126,6 @@
#endif
#define SECALGNAMES \
- MD5_SECALGNAMES \