rpms
/
bind
7
0
Fork 1
Code Issues Pull Requests Releases Activity

import bind-9.11.13-1.el8

This commit is contained in:
CentOS Sources 2020-01-21 17:30:08 -05:00 committed by Stepan Oksanichenko
parent 23892d136e
commit fe12c7fcd0
46 changed files with 5804 additions and 3077 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
.bind.metadata
View File

@ -1,3 +1,2 @@
f01eada382fb2bd4d1fcab3f6f83bd3ebc35a9ab SOURCES/bind-9.11.4-P2.tar.gz
1dc72fe31e4c84853ea2d016e36f0419d1885fa0 SOURCES/config-18.tar.bz2
550367762a653ac5ed0eb04b316d06517650a925 SOURCES/bind-9.11.13.tar.gz
a164fcad1d64d6b5fab5034928cb7260f1fa8fdd SOURCES/random.data

3
.gitignore vendored
View File

@ -1,3 +1,2 @@
SOURCES/bind-9.11.4-P2.tar.gz
SOURCES/config-18.tar.bz2
SOURCES/bind-9.11.13.tar.gz
SOURCES/random.data

130
SOURCES/bind-9.10-dist-native-pkcs11.patch
View File

@ -14,25 +14,26 @@ index f0c504a..ce7a2da 100644
@BIND9_MAKE_RULES@
diff --git a/bin/dnssec-pkcs11/Makefile.in b/bin/dnssec-pkcs11/Makefile.in
index 1d0c4ce..7b7f89b 100644
index 4b8ca13..32f4470 100644
--- a/bin/dnssec-pkcs11/Makefile.in
+++ b/bin/dnssec-pkcs11/Makefile.in
@@ -17,18 +17,18 @@ VERSION=@BIND9_VERSION@
@@ -15,18 +15,18 @@ VERSION=@BIND9_VERSION@
@BIND9_MAKE_INCLUDES@
-CINCLUDES = ${DNS_INCLUDES} ${ISC_INCLUDES} @DST_OPENSSL_INC@
+CINCLUDES = ${DNS_PKCS11_INCLUDES} ${ISC_PKCS11_INCLUDES}
CDEFINES = -DVERSION=\"${VERSION}\" @USE_PKCS11@ @PKCS11_ENGINE@ \
-CDEFINES = -DVERSION=\"${VERSION}\" @USE_PKCS11@ @PKCS11_ENGINE@ \
- @CRYPTO@ -DPK11_LIB_LOCATION=\"@PKCS11_PROVIDER@\"
+CDEFINES = -DVERSION=\"${VERSION}\" @PKCS11_ENGINE@ \
+ @CRYPTO_PK11@ -DPK11_LIB_LOCATION=\"@PKCS11_PROVIDER@\"
CWARNINGS =
-DNSLIBS = ../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
-DNSLIBS = ../../lib/dns/libdns.@A@ ${MAXMINDDB_LIBS} @DNS_CRYPTO_LIBS@
-ISCLIBS = ../../lib/isc/libisc.@A@
-ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@
+DNSLIBS = ../../lib/dns-pkcs11/libdns-pkcs11.@A@ @DNS_CRYPTO_LIBS@
+DNSLIBS = ../../lib/dns-pkcs11/libdns-pkcs11.@A@ ${MAXMINDDB_LIBS} @DNS_CRYPTO_LIBS@
+ISCLIBS = ../../lib/isc-pkcs11/libisc-pkcs11.@A@
+ISCNOSYMLIBS = ../../lib/isc-pkcs11/libisc-pkcs11-nosymtbl.@A@
@ -43,7 +44,7 @@ index 1d0c4ce..7b7f89b 100644
DEPLIBS = ${DNSDEPLIBS} ${ISCDEPLIBS}
@@ -37,10 +37,10 @@ LIBS = ${DNSLIBS} ${ISCLIBS} @LIBS@
@@ -35,10 +35,10 @@ LIBS = ${DNSLIBS} ${ISCLIBS} @LIBS@
NOSYMLIBS = ${DNSLIBS} ${ISCNOSYMLIBS} @LIBS@
# Alphabetically
@ -58,7 +59,7 @@ index 1d0c4ce..7b7f89b 100644
OBJS = dnssectool.@O@
@@ -61,15 +61,15 @@ MANOBJS = ${MANPAGES} ${HTMLPAGES}
@@ -59,15 +59,15 @@ MANOBJS = ${MANPAGES} ${HTMLPAGES}
@BIND9_MAKE_RULES@
@ -77,7 +78,7 @@ index 1d0c4ce..7b7f89b 100644
export BASEOBJS="dnssec-keygen.@O@ ${OBJS}"; \
${FINALBUILDCMD}
@@ -77,7 +77,7 @@ dnssec-signzone.@O@: dnssec-signzone.c
@@ -75,7 +75,7 @@ dnssec-signzone.@O@: dnssec-signzone.c
${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -DVERSION=\"${VERSION}\" \
-c ${srcdir}/dnssec-signzone.c
@ -86,7 +87,7 @@ index 1d0c4ce..7b7f89b 100644
export BASEOBJS="dnssec-signzone.@O@ ${OBJS}"; \
${FINALBUILDCMD}
@@ -85,19 +85,19 @@ dnssec-verify.@O@: dnssec-verify.c
@@ -83,19 +83,19 @@ dnssec-verify.@O@: dnssec-verify.c
${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -DVERSION=\"${VERSION}\" \
-c ${srcdir}/dnssec-verify.c
@ -110,7 +111,7 @@ index 1d0c4ce..7b7f89b 100644
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
dnssec-importkey.@O@ ${OBJS} ${LIBS}
@@ -108,16 +108,14 @@ docclean manclean maintainer-clean::
@@ -106,16 +106,14 @@ docclean manclean maintainer-clean::
installdirs:
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir}
@ -121,18 +122,18 @@ index 1d0c4ce..7b7f89b 100644
-install:: ${TARGETS} installdirs install-man8
+install:: ${TARGETS} installdirs
for t in ${TARGETS}; do ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} $$t ${DESTDIR}${sbindir}; done
for t in ${TARGETS}; do ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} $$t ${DESTDIR}${sbindir} || exit 1; done
uninstall::
- for m in ${MANPAGES}; do rm -f ${DESTDIR}${mandir}/man8/$$m ; done
for t in ${TARGETS}; do ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/$$t ; done
- for m in ${MANPAGES}; do rm -f ${DESTDIR}${mandir}/man8/$$m || exit 1; done
for t in ${TARGETS}; do ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/$$t || exit 1; done
clean distclean::
diff --git a/bin/dnssec/Makefile.in b/bin/dnssec/Makefile.in
index 1d0c4ce..11538cf 100644
index 4b8ca13..4175996 100644
--- a/bin/dnssec/Makefile.in
+++ b/bin/dnssec/Makefile.in
@@ -19,7 +19,7 @@ VERSION=@BIND9_VERSION@
@@ -17,7 +17,7 @@ VERSION=@BIND9_VERSION@
CINCLUDES = ${DNS_INCLUDES} ${ISC_INCLUDES} @DST_OPENSSL_INC@
@ -142,10 +143,10 @@ index 1d0c4ce..11538cf 100644
CWARNINGS =
diff --git a/bin/named-pkcs11/Makefile.in b/bin/named-pkcs11/Makefile.in
index d92bc9a..a8c42a4 100644
index 3166368..a403941 100644
--- a/bin/named-pkcs11/Makefile.in
+++ b/bin/named-pkcs11/Makefile.in
@@ -43,26 +43,26 @@ DLZDRIVER_INCLUDES = @DLZ_DRIVER_INCLUDES@
@@ -43,27 +43,27 @@ DLZDRIVER_INCLUDES = @DLZ_DRIVER_INCLUDES@
DLZDRIVER_LIBS = @DLZ_DRIVER_LIBS@
CINCLUDES = -I${srcdir}/include -I${srcdir}/unix/include -I. \
@ -153,20 +154,22 @@ index d92bc9a..a8c42a4 100644
- ${ISCCFG_INCLUDES} ${ISCCC_INCLUDES} ${ISC_INCLUDES} \
+ ${LWRES_INCLUDES} ${DNS_PKCS11_INCLUDES} ${BIND9_INCLUDES} \
+ ${ISCCFG_INCLUDES} ${ISCCC_INCLUDES} ${ISC_PKCS11_INCLUDES} \
${DLZDRIVER_INCLUDES} ${DBDRIVER_INCLUDES} @DST_OPENSSL_INC@
${DLZDRIVER_INCLUDES} ${DBDRIVER_INCLUDES} ${MAXMINDDB_CFLAGS} \
@DST_OPENSSL_INC@
-CDEFINES = @CONTRIB_DLZ@ @USE_PKCS11@ @PKCS11_ENGINE@ @CRYPTO@
+CDEFINES = @USE_PKCS11@ @PKCS11_ENGINE@ @CRYPTO_PK11@
+CDEFINES = @USE_PKCS11@ @PKCS11_ENGINE@ @CRYPTO_PK11@ @USE_GSSAPI@
CWARNINGS =
-DNSLIBS = ../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
+DNSLIBS = ../../lib/dns-pkcs11/libdns-pkcs11.@A@ @DNS_CRYPTO_LIBS@
-DNSLIBS = ../../lib/dns/libdns.@A@ ${MAXMINDDB_LIBS} @DNS_CRYPTO_LIBS@
+DNSLIBS = ../../lib/dns-pkcs11/libdns-pkcs11.@A@ ${MAXMINDDB_LIBS} @DNS_CRYPTO_LIBS@
ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@
ISCCCLIBS = ../../lib/isccc/libisccc.@A@
-ISCLIBS = ../../lib/isc/libisc.@A@
-ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@
+ISCLIBS = ../../lib/isc-pkcs11/libisc-pkcs11.@A@
ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@
+ISCNOSYMLIBS = ../../lib/isc-pkcs11/libisc-pkcs11-nosymtbl.@A@
LWRESLIBS = ../../lib/lwres/liblwres.@A@
BIND9LIBS = ../../lib/bind9/libbind9.@A@
@ -179,7 +182,7 @@ index d92bc9a..a8c42a4 100644
LWRESDEPLIBS = ../../lib/lwres/liblwres.@A@
BIND9DEPLIBS = ../../lib/bind9/libbind9.@A@
@@ -71,15 +71,15 @@ DEPLIBS = ${LWRESDEPLIBS} ${DNSDEPLIBS} ${BIND9DEPLIBS} \
@@ -72,15 +72,15 @@ DEPLIBS = ${LWRESDEPLIBS} ${DNSDEPLIBS} ${BIND9DEPLIBS} \
LIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \
${ISCCFGLIBS} ${ISCCCLIBS} ${ISCLIBS} \
@ -197,8 +200,8 @@ index d92bc9a..a8c42a4 100644
+TARGETS = named-pkcs11@EXEEXT@
GEOIPLINKOBJS = geoip.@O@
@@ -90,8 +90,7 @@ OBJS = builtin.@O@ client.@O@ config.@O@ control.@O@ \
GEOIP2LINKOBJS = geoip.@O@
@@ -94,8 +94,7 @@ OBJS = builtin.@O@ client.@O@ config.@O@ control.@O@ \
tkeyconf.@O@ tsigconf.@O@ update.@O@ xfrout.@O@ \
zoneconf.@O@ \
lwaddr.@O@ lwresd.@O@ lwdclient.@O@ lwderror.@O@ lwdgabn.@O@ \
@ -208,7 +211,7 @@ index d92bc9a..a8c42a4 100644
UOBJS = unix/os.@O@ unix/dlz_dlopen_driver.@O@
@@ -106,8 +105,7 @@ SRCS = builtin.c client.c config.c control.c \
@@ -113,8 +112,7 @@ SRCS = builtin.c client.c config.c control.c \
tkeyconf.c tsigconf.c update.c xfrout.c \
zoneconf.c \
lwaddr.c lwresd.c lwdclient.c lwderror.c lwdgabn.c \
@ -218,7 +221,7 @@ index d92bc9a..a8c42a4 100644
MANPAGES = named.8 lwresd.8 named.conf.5
@@ -146,14 +144,14 @@ server.@O@: server.c
@@ -154,14 +152,14 @@ server.@O@: server.c
-DPRODUCT=\"${PRODUCT}\" \
-DVERSION=\"${VERSION}\" -c ${srcdir}/server.c
@ -236,7 +239,7 @@ index d92bc9a..a8c42a4 100644
doc man:: ${MANOBJS}
@@ -184,16 +182,11 @@ install-man8: named.8 lwresd.8
@@ -192,16 +190,11 @@ install-man8: named.8 lwresd.8
install-man: install-man5 install-man8
@ -257,15 +260,15 @@ index d92bc9a..a8c42a4 100644
@DLZ_DRIVER_RULES@
diff --git a/bin/named/Makefile.in b/bin/named/Makefile.in
index d92bc9a..6d2bfd1 100644
index 3166368..890574f 100644
--- a/bin/named/Makefile.in
+++ b/bin/named/Makefile.in
@@ -47,7 +47,7 @@ CINCLUDES = -I${srcdir}/include -I${srcdir}/unix/include -I. \
${ISCCFG_INCLUDES} ${ISCCC_INCLUDES} ${ISC_INCLUDES} \
${DLZDRIVER_INCLUDES} ${DBDRIVER_INCLUDES} @DST_OPENSSL_INC@
@@ -48,7 +48,7 @@ CINCLUDES = -I${srcdir}/include -I${srcdir}/unix/include -I. \
${DLZDRIVER_INCLUDES} ${DBDRIVER_INCLUDES} ${MAXMINDDB_CFLAGS} \
@DST_OPENSSL_INC@
-CDEFINES = @CONTRIB_DLZ@ @USE_PKCS11@ @PKCS11_ENGINE@ @CRYPTO@
+CDEFINES = @CONTRIB_DLZ@ @CRYPTO@
+CDEFINES = @CONTRIB_DLZ@ @USE_GSSAPI@ @CRYPTO@
CWARNINGS =
@ -290,11 +293,11 @@ index a058c91..d4b689a 100644
DEPLIBS = ${ISCDEPLIBS}
diff --git a/configure.in b/configure.in
index 849fa94..69e6373 100644
--- a/configure.in
+++ b/configure.in
@@ -1164,12 +1164,14 @@ AC_SUBST(USE_GSSAPI)
diff --git a/configure.ac b/configure.ac
index 9b7d778..59ba20b 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1139,12 +1139,14 @@ AC_SUBST(USE_GSSAPI)
AC_SUBST(DST_GSSAPI_INC)
AC_SUBST(DNS_GSSAPI_LIBS)
DNS_CRYPTO_LIBS="$DNS_GSSAPI_LIBS $DNS_CRYPTO_LIBS"
@ -309,10 +312,10 @@ index 849fa94..69e6373 100644
#
# was --with-randomdev specified?
@@ -1554,11 +1556,11 @@ fi
@@ -1494,11 +1496,11 @@ AC_ARG_ENABLE(openssl-hash,
AC_MSG_CHECKING(for OpenSSL library)
OPENSSL_WARNING=
openssldirs="/usr /usr/local /usr/local/ssl /usr/pkg /usr/sfw"
openssldirs="/usr /usr/local /usr/local/ssl /opt/local /usr/pkg /usr/sfw"
-if test "yes" = "$want_native_pkcs11"
-then
- use_openssl="native_pkcs11"
@ -326,7 +329,7 @@ index 849fa94..69e6373 100644
if test "auto" = "$use_openssl"
then
@@ -1571,6 +1573,7 @@ then
@@ -1511,6 +1513,7 @@ then
fi
done
fi
@ -334,7 +337,7 @@ index 849fa94..69e6373 100644
OPENSSL_ECDSA=""
OPENSSL_GOST=""
OPENSSL_ED25519=""
@@ -1592,11 +1595,10 @@ case "$with_gost" in
@@ -1532,11 +1535,10 @@ case "$with_gost" in
;;
esac
@ -349,7 +352,7 @@ index 849fa94..69e6373 100644
CRYPTOLIB="pkcs11"
OPENSSLECDSALINKOBJS=""
OPENSSLECDSALINKSRCS=""
@@ -1606,7 +1608,9 @@ case "$use_openssl" in
@@ -1546,7 +1548,9 @@ case "$use_openssl" in
OPENSSLGOSTLINKSRCS=""
OPENSSLLINKOBJS=""
OPENSSLLINKSRCS=""
@ -360,7 +363,7 @@ index 849fa94..69e6373 100644
no)
AC_MSG_RESULT(no)
DST_OPENSSL_INC=""
@@ -1638,7 +1642,7 @@ case "$use_openssl" in
@@ -1578,7 +1582,7 @@ case "$use_openssl" in
If you do not want OpenSSL, use --without-openssl])
;;
*)
@ -369,7 +372,7 @@ index 849fa94..69e6373 100644
then
AC_MSG_RESULT()
AC_MSG_ERROR([OpenSSL and native PKCS11 cannot be used together.])
@@ -2066,6 +2070,7 @@ AC_SUBST(OPENSSL_ED25519)
@@ -2006,6 +2010,7 @@ AC_SUBST(OPENSSL_ED25519)
AC_SUBST(OPENSSL_GOST)
DNS_CRYPTO_LIBS="$DNS_CRYPTO_LIBS $DST_OPENSSL_LIBS"
@ -377,7 +380,7 @@ index 849fa94..69e6373 100644
ISC_PLATFORM_WANTAES="#undef ISC_PLATFORM_WANTAES"
if test "yes" = "$with_aes"
@@ -2384,6 +2389,7 @@ esac
@@ -2291,6 +2296,7 @@ esac
AC_SUBST(PKCS11LINKOBJS)
AC_SUBST(PKCS11LINKSRCS)
AC_SUBST(CRYPTO)
@ -385,7 +388,7 @@ index 849fa94..69e6373 100644
AC_SUBST(PKCS11_ECDSA)
AC_SUBST(PKCS11_GOST)
AC_SUBST(PKCS11_ED25519)
@@ -5497,8 +5503,11 @@ AC_CONFIG_FILES([
@@ -5405,8 +5411,11 @@ AC_CONFIG_FILES([
bin/delv/Makefile
bin/dig/Makefile
bin/dnssec/Makefile
@ -397,7 +400,7 @@ index 849fa94..69e6373 100644
bin/nsupdate/Makefile
bin/pkcs11/Makefile
bin/python/Makefile
@@ -5572,6 +5581,10 @@ AC_CONFIG_FILES([
@@ -5479,6 +5488,10 @@ AC_CONFIG_FILES([
lib/dns/include/dns/Makefile
lib/dns/include/dst/Makefile
lib/dns/tests/Makefile
@ -408,7 +411,7 @@ index 849fa94..69e6373 100644
lib/irs/Makefile
lib/irs/include/Makefile
lib/irs/include/irs/Makefile
@@ -5596,6 +5609,24 @@ AC_CONFIG_FILES([
@@ -5503,6 +5516,24 @@ AC_CONFIG_FILES([
lib/isc/unix/include/Makefile
lib/isc/unix/include/isc/Makefile
lib/isc/unix/include/pkcs11/Makefile
@ -447,17 +450,18 @@ index 81270a0..bcb5312 100644
@BIND9_MAKE_RULES@
diff --git a/lib/dns-pkcs11/Makefile.in b/lib/dns-pkcs11/Makefile.in
index 4a8549e..6a19906 100644
index 7f09bd6..c388d9e 100644
--- a/lib/dns-pkcs11/Makefile.in
+++ b/lib/dns-pkcs11/Makefile.in
@@ -26,16 +26,16 @@ VERSION=@BIND9_VERSION@
@@ -26,17 +26,16 @@ VERSION=@BIND9_VERSION@
USE_ISC_SPNEGO = @USE_ISC_SPNEGO@
-CINCLUDES = -I. -I${top_srcdir}/lib/dns -Iinclude ${DNS_INCLUDES} \
- ${ISC_INCLUDES} @DST_OPENSSL_INC@ @DST_GSSAPI_INC@
- ${ISC_INCLUDES} ${MAXMINDDB_CFLAGS} \
- @DST_OPENSSL_INC@ @DST_GSSAPI_INC@
+CINCLUDES = -I. -I${top_srcdir}/lib/dns-pkcs11 -Iinclude ${DNS_PKCS11_INCLUDES} \
+ ${ISC_PKCS11_INCLUDES} @DST_OPENSSL_INC@ @DST_GSSAPI_INC@
+ ${ISC_PKCS11_INCLUDES} ${MAXMINDDB_CFLAGS} @DST_OPENSSL_INC@ @DST_GSSAPI_INC@
-CDEFINES = -DUSE_MD5 @CRYPTO@ @USE_GSSAPI@ ${USE_ISC_SPNEGO}
+CDEFINES = -DUSE_MD5 @CRYPTO_PK11@ @USE_GSSAPI@ ${USE_ISC_SPNEGO}
@ -470,9 +474,9 @@ index 4a8549e..6a19906 100644
-ISCDEPLIBS = ../../lib/isc/libisc.@A@
+ISCDEPLIBS = ../../lib/isc-pkcs11/libisc-pkcs11.@A@
LIBS = @LIBS@
LIBS = ${MAXMINDDB_LIBS} @LIBS@
@@ -146,15 +146,15 @@ version.@O@: version.c
@@ -150,15 +149,15 @@ version.@O@: version.c
-DLIBAGE=${LIBAGE} \
-c ${srcdir}/version.c
@ -492,13 +496,9 @@ index 4a8549e..6a19906 100644
include: gen
${MAKE} include/dns/enumtype.h
@@ -180,25 +180,25 @@ code.h: gen
./gen -s ${srcdir} > code.h || { rm -f $@ ; exit 1; }
gen: gen.c
- ${BUILD_CC} ${BUILD_CFLAGS} -I${top_srcdir}/lib/isc/include \
+ ${BUILD_CC} ${BUILD_CFLAGS} -I${top_srcdir}/lib/isc-pkcs11/include \
${BUILD_CPPFLAGS} ${BUILD_LDFLAGS} -o $@ ${srcdir}/gen.c ${BUILD_LIBS}
@@ -189,22 +188,22 @@ gen: gen.c
${BUILD_CPPFLAGS} ${BUILD_LDFLAGS} -o $@ ${srcdir}/gen.c \
${BUILD_LIBS} ${LFS_LIBS}
-timestamp: include libdns.@A@
+timestamp: include libdns-pkcs11.@A@
@ -523,9 +523,9 @@ index 4a8549e..6a19906 100644
+ rm -f libdns-pkcs11.@A@ timestamp
rm -f gen code.h include/dns/enumtype.h include/dns/enumclass.h
rm -f include/dns/rdatastruct.h
rm -f dnstap.pb-c.c dnstap.pb-c.h include/dns/dnstap.pb-c.h
rm -f dnstap.pb-c.c dnstap.pb-c.h
diff --git a/lib/isc-pkcs11/Makefile.in b/lib/isc-pkcs11/Makefile.in
index ba53ef1..d1f1771 100644
index 8ad54bb..a3ecdfb 100644
--- a/lib/isc-pkcs11/Makefile.in
+++ b/lib/isc-pkcs11/Makefile.in
@@ -23,8 +23,8 @@ CINCLUDES = -I${srcdir}/unix/include \
@ -539,7 +539,7 @@ index ba53ef1..d1f1771 100644
CWARNINGS =
# Alphabetically
@@ -107,40 +107,40 @@ version.@O@: version.c
@@ -103,40 +103,40 @@ version.@O@: version.c
-DLIBAGE=${LIBAGE} \
-c ${srcdir}/version.c

55
SOURCES/bind-9.10-sdb.patch
View File

@ -14,7 +14,7 @@ index ce7a2da..4e6a824 100644
@BIND9_MAKE_RULES@
diff --git a/bin/named-sdb/Makefile.in b/bin/named-sdb/Makefile.in
index 6d2bfd1..d3f42e8 100644
index 03a72d5..4c1cb6d 100644
--- a/bin/named-sdb/Makefile.in
+++ b/bin/named-sdb/Makefile.in
@@ -30,10 +30,10 @@ VERSION=@BIND9_VERSION@
@ -31,7 +31,7 @@ index 6d2bfd1..d3f42e8 100644
DLZ_DRIVER_DIR = ${top_srcdir}/contrib/dlz/drivers
@@ -79,7 +79,7 @@ NOSYMLIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \
@@ -80,7 +80,7 @@ NOSYMLIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \
SUBDIRS = unix
@ -39,8 +39,8 @@ index 6d2bfd1..d3f42e8 100644
+TARGETS = named-sdb@EXEEXT@
GEOIPLINKOBJS = geoip.@O@
@@ -146,7 +146,7 @@ server.@O@: server.c
GEOIP2LINKOBJS = geoip.@O@
@@ -154,7 +154,7 @@ server.@O@: server.c
-DPRODUCT=\"${PRODUCT}\" \
-DVERSION=\"${VERSION}\" -c ${srcdir}/server.c
@ -49,7 +49,7 @@ index 6d2bfd1..d3f42e8 100644
export MAKE_SYMTABLE="yes"; \
export BASEOBJS="${OBJS} ${UOBJS}"; \
${FINALBUILDCMD}
@@ -173,8 +173,6 @@ statschannel.@O@: bind9.xsl.h
@@ -181,8 +181,6 @@ statschannel.@O@: bind9.xsl.h
installdirs:
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir}
@ -58,7 +58,7 @@ index 6d2bfd1..d3f42e8 100644
install-man5: named.conf.5
${INSTALL_DATA} $^ ${DESTDIR}${mandir}/man5
@@ -184,16 +182,11 @@ install-man8: named.8 lwresd.8
@@ -192,16 +190,11 @@ install-man8: named.8 lwresd.8
install-man: install-man5 install-man8
@ -79,10 +79,10 @@ index 6d2bfd1..d3f42e8 100644
@DLZ_DRIVER_RULES@
diff --git a/bin/named-sdb/main.c b/bin/named-sdb/main.c
index bb639d9..555c4d9 100644
index 108b8d6..a943421 100644
--- a/bin/named-sdb/main.c
+++ b/bin/named-sdb/main.c
@@ -91,6 +91,10 @@
@@ -93,6 +93,10 @@
* Include header files for database drivers here.
*/
/* #include "xxdb.h" */
@ -93,7 +93,7 @@ index bb639d9..555c4d9 100644
#ifdef CONTRIB_DLZ
/*
@@ -1061,6 +1065,11 @@ setup(void) {
@@ -1069,6 +1073,11 @@ setup(void) {
ns_main_earlyfatal("isc_app_start() failed: %s",
isc_result_totext(result));
@ -105,7 +105,7 @@ index bb639d9..555c4d9 100644
isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
ISC_LOG_NOTICE, "starting %s %s%s%s <id:%s>",
ns_g_product, ns_g_version,
@@ -1261,6 +1270,75 @@ setup(void) {
@@ -1269,6 +1278,75 @@ setup(void) {
isc_result_totext(result));
#endif
@ -181,7 +181,7 @@ index bb639d9..555c4d9 100644
ns_server_create(ns_g_mctx, &ns_g_server);
#ifdef HAVE_LIBSECCOMP
@@ -1303,6 +1381,11 @@ cleanup(void) {
@@ -1311,6 +1389,11 @@ cleanup(void) {
dns_name_destroy();
@ -194,22 +194,23 @@ index bb639d9..555c4d9 100644
ISC_LOG_NOTICE, "exiting");
ns_log_shutdown();
diff --git a/bin/named/Makefile.in b/bin/named/Makefile.in
index 6d2bfd1..86f8587 100644
index 03a72d5..47cc046 100644
--- a/bin/named/Makefile.in
+++ b/bin/named/Makefile.in
@@ -45,9 +45,9 @@ DLZDRIVER_LIBS = @DLZ_DRIVER_LIBS@
@@ -45,10 +45,10 @@ DLZDRIVER_LIBS = @DLZ_DRIVER_LIBS@
CINCLUDES = -I${srcdir}/include -I${srcdir}/unix/include -I. \
${LWRES_INCLUDES} ${DNS_INCLUDES} ${BIND9_INCLUDES} \
${ISCCFG_INCLUDES} ${ISCCC_INCLUDES} ${ISC_INCLUDES} \
- ${DLZDRIVER_INCLUDES} ${DBDRIVER_INCLUDES} @DST_OPENSSL_INC@
+ @DST_OPENSSL_INC@
- ${DLZDRIVER_INCLUDES} ${DBDRIVER_INCLUDES} ${MAXMINDDB_CFLAGS} \
+ ${MAXMINDDB_CFLAGS} \
@DST_OPENSSL_INC@
-CDEFINES = @CONTRIB_DLZ@ @CRYPTO@
+CDEFINES = @CRYPTO@
-CDEFINES = @CONTRIB_DLZ@ @USE_GSSAPI@ @CRYPTO@
+CDEFINES = @USE_GSSAPI@ @CRYPTO@
CWARNINGS =
@@ -71,11 +71,11 @@ DEPLIBS = ${LWRESDEPLIBS} ${DNSDEPLIBS} ${BIND9DEPLIBS} \
@@ -72,11 +72,11 @@ DEPLIBS = ${LWRESDEPLIBS} ${DNSDEPLIBS} ${BIND9DEPLIBS} \
LIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \
${ISCCFGLIBS} ${ISCCCLIBS} ${ISCLIBS} \
@ -223,7 +224,7 @@ index 6d2bfd1..86f8587 100644
SUBDIRS = unix
@@ -90,8 +90,7 @@ OBJS = builtin.@O@ client.@O@ config.@O@ control.@O@ \
@@ -94,8 +94,7 @@ OBJS = builtin.@O@ client.@O@ config.@O@ control.@O@ \
tkeyconf.@O@ tsigconf.@O@ update.@O@ xfrout.@O@ \
zoneconf.@O@ \
lwaddr.@O@ lwresd.@O@ lwdclient.@O@ lwderror.@O@ lwdgabn.@O@ \
@ -233,7 +234,7 @@ index 6d2bfd1..86f8587 100644
UOBJS = unix/os.@O@ unix/dlz_dlopen_driver.@O@
@@ -106,8 +105,7 @@ SRCS = builtin.c client.c config.c control.c \
@@ -113,8 +112,7 @@ SRCS = builtin.c client.c config.c control.c \
tkeyconf.c tsigconf.c update.c xfrout.c \
zoneconf.c \
lwaddr.c lwresd.c lwdclient.c lwderror.c lwdgabn.c \
@ -243,7 +244,7 @@ index 6d2bfd1..86f8587 100644
MANPAGES = named.8 lwresd.8 named.conf.5
@@ -195,7 +193,5 @@ uninstall::
@@ -203,7 +201,5 @@ uninstall::
rm -f ${DESTDIR}${sbindir}/lwresd@EXEEXT@
${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/named@EXEEXT@
@ -286,11 +287,11 @@ index c7e0868..95ab742 100644
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} zonetodb@EXEEXT@ ${DESTDIR}${sbindir}
+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} zone2sqlite@EXEEXT@ ${DESTDIR}${sbindir}
${INSTALL_DATA} ${srcdir}/zone2ldap.1 ${DESTDIR}${mandir}/man1/zone2ldap.1
diff --git a/configure.in b/configure.in
index 62536a6..f571a4f 100644
--- a/configure.in
+++ b/configure.in
@@ -5445,6 +5445,8 @@ AC_CONFIG_FILES([
diff --git a/configure.ac b/configure.ac
index eff9f05..d05ad1f 100644
--- a/configure.ac
+++ b/configure.ac
@@ -5429,6 +5429,8 @@ AC_CONFIG_FILES([
bin/named/unix/Makefile
bin/named-pkcs11/Makefile
bin/named-pkcs11/unix/Makefile
@ -299,7 +300,7 @@ index 62536a6..f571a4f 100644
bin/nsupdate/Makefile
bin/pkcs11/Makefile
bin/python/Makefile
@@ -5469,6 +5471,7 @@ AC_CONFIG_FILES([
@@ -5453,6 +5455,7 @@ AC_CONFIG_FILES([
bin/python/isc/tests/dnskey_test.py
bin/python/isc/tests/policy_test.py
bin/rndc/Makefile

131
SOURCES/bind-9.11-CVE-2018-5743-atomic.patch
View File

@ -1,131 +0,0 @@
From 94e08314024c812063bf99bd191a46265a2ba49f Mon Sep 17 00:00:00 2001
From: Petr Mensik <pemensik@redhat.com>
Date: Wed, 24 Apr 2019 21:10:26 +0200
Subject: [PATCH] Missing atomic fix to original CVE patch
---
bin/named/client.c | 18 +++++++-----------
bin/named/include/named/interfacemgr.h | 5 +++--
bin/named/interfacemgr.c | 7 +++++--
3 files changed, 15 insertions(+), 15 deletions(-)
diff --git a/bin/named/client.c b/bin/named/client.c
index 3ada6e9..d3bf47d 100644
--- a/bin/named/client.c
+++ b/bin/named/client.c
@@ -405,12 +405,10 @@ tcpconn_detach(ns_client_t *client) {
static void
mark_tcp_active(ns_client_t *client, isc_boolean_t active) {
if (active && !client->tcpactive) {
- isc_atomic_xadd(&client->interface->ntcpactive, 1);
+ isc_refcount_increment0(&client->interface->ntcpactive, NULL);
client->tcpactive = active;
} else if (!active && client->tcpactive) {
- uint32_t old =
- isc_atomic_xadd(&client->interface->ntcpactive, -1);
- INSIST(old > 0);
+ isc_refcount_decrement(&client->interface->ntcpactive, NULL);
client->tcpactive = active;
}
}
@@ -557,7 +555,7 @@ exit_check(ns_client_t *client) {
if (client->mortal && TCP_CLIENT(client) &&
client->newstate != NS_CLIENTSTATE_FREED &&
!ns_g_clienttest &&
- isc_atomic_xadd(&client->interface->ntcpaccepting, 0) == 0)
+ isc_refcount_current(&client->interface->ntcpaccepting) == 0)
{
/* Nobody else is accepting */
client->mortal = ISC_FALSE;
@@ -3321,7 +3319,6 @@ client_newconn(isc_task_t *task, isc_event_t *event) {
isc_result_t result;
ns_client_t *client = event->ev_arg;
isc_socket_newconnev_t *nevent = (isc_socket_newconnev_t *)event;
- uint32_t old;
REQUIRE(event->ev_type == ISC_SOCKEVENT_NEWCONN);
REQUIRE(NS_CLIENT_VALID(client));
@@ -3341,8 +3338,7 @@ client_newconn(isc_task_t *task, isc_event_t *event) {
INSIST(client->naccepts == 1);
client->naccepts--;
- old = isc_atomic_xadd(&client->interface->ntcpaccepting, -1);
- INSIST(old > 0);
+ isc_refcount_decrement(&client->interface->ntcpaccepting, NULL);
/*
* We must take ownership of the new socket before the exit
@@ -3473,8 +3469,8 @@ client_accept(ns_client_t *client) {
* quota is tcp-clients plus the number of listening
* interfaces plus 1.)
*/
- exit = (isc_atomic_xadd(&client->interface->ntcpactive, 0) >
- (client->tcpactive ? 1 : 0));
+ exit = (isc_refcount_current(&client->interface->ntcpactive) >
+ (client->tcpactive ? 1U : 0U));
if (exit) {
client->newstate = NS_CLIENTSTATE_INACTIVE;
(void)exit_check(client);
@@ -3532,7 +3528,7 @@ client_accept(ns_client_t *client) {
* listening for connections itself to prevent the interface
* going dead.
*/
- isc_atomic_xadd(&client->interface->ntcpaccepting, 1);
+ isc_refcount_increment0(&client->interface->ntcpaccepting, NULL);
}
static void
diff --git a/bin/named/include/named/interfacemgr.h b/bin/named/include/named/interfacemgr.h
index d9ac90f..aa21049 100644
--- a/bin/named/include/named/interfacemgr.h
+++ b/bin/named/include/named/interfacemgr.h
@@ -43,6 +43,7 @@
#include <isc/magic.h>
#include <isc/mem.h>
#include <isc/socket.h>
+#include <isc/refcount.h>
#include <dns/result.h>
@@ -73,11 +74,11 @@ struct ns_interface {
/*%< UDP dispatchers. */
isc_socket_t * tcpsocket; /*%< TCP socket. */
isc_dscp_t dscp; /*%< "listen-on" DSCP value */
- int32_t ntcpaccepting; /*%< Number of clients
+ isc_refcount_t ntcpaccepting; /*%< Number of clients
ready to accept new
TCP connections on this
interface */
- int32_t ntcpactive; /*%< Number of clients
+ isc_refcount_t ntcpactive; /*%< Number of clients
servicing TCP queries
(whether accepting or
connected) */
diff --git a/bin/named/interfacemgr.c b/bin/named/interfacemgr.c
index 96c080b..2ce97bb 100644
--- a/bin/named/interfacemgr.c
+++ b/bin/named/interfacemgr.c
@@ -384,8 +384,8 @@ ns_interface_create(ns_interfacemgr_t *mgr, isc_sockaddr_t *addr,
* connections will be handled in parallel even though there is
* only one client initially.
*/
- ifp->ntcpaccepting = 0;
- ifp->ntcpactive = 0;
+ isc_refcount_init(&ifp->ntcpaccepting, 0);
+ isc_refcount_init(&ifp->ntcpactive, 0);
ifp->nudpdispatch = 0;
@@ -616,6 +616,9 @@ ns_interface_destroy(ns_interface_t *ifp) {
ns_interfacemgr_detach(&ifp->mgr);
+ isc_refcount_destroy(&ifp->ntcpactive);
+ isc_refcount_destroy(&ifp->ntcpaccepting);
+
ifp->magic = 0;
isc_mem_put(mctx, ifp, sizeof(*ifp));
}
--
2.20.1

868
SOURCES/bind-9.11-CVE-2018-5743.patch
View File

@ -1,868 +0,0 @@
From b2929ff50a7676563177bc52a372ddcae48cb002 Mon Sep 17 00:00:00 2001
From: Petr Mensik <pemensik@redhat.com>
Date: Wed, 24 Apr 2019 20:09:07 +0200
Subject: [PATCH] 5200. [security] tcp-clients settings could be
exceeded in some cases, which could lead to
exhaustion of file descriptors. (CVE-2018-5743) [GL
#615]
---
bin/named/client.c | 421 +++++++++++++++++++------
bin/named/include/named/client.h | 13 +-
bin/named/include/named/interfacemgr.h | 13 +-
bin/named/interfacemgr.c | 9 +-
lib/isc/include/isc/quota.h | 7 +
lib/isc/quota.c | 33 +-
6 files changed, 385 insertions(+), 111 deletions(-)
diff --git a/bin/named/client.c b/bin/named/client.c
index b7d8a98..e1acaf1 100644
--- a/bin/named/client.c
+++ b/bin/named/client.c
@@ -243,7 +243,7 @@ static void ns_client_dumpmessage(ns_client_t *client, const char *reason);
static isc_result_t get_client(ns_clientmgr_t *manager, ns_interface_t *ifp,
dns_dispatch_t *disp, isc_boolean_t tcp);
static isc_result_t get_worker(ns_clientmgr_t *manager, ns_interface_t *ifp,
- isc_socket_t *sock);
+ isc_socket_t *sock, ns_client_t *oldclient);
static inline isc_boolean_t
allowed(isc_netaddr_t *addr, dns_name_t *signer, isc_netaddr_t *ecs_addr,
isc_uint8_t ecs_addrlen, isc_uint8_t *ecs_scope, dns_acl_t *acl);
@@ -295,6 +295,119 @@ ns_client_settimeout(ns_client_t *client, unsigned int seconds) {
}
}
+/*%
+ * Allocate a reference-counted object that will maintain a single pointer to
+ * the (also reference-counted) TCP client quota, shared between all the
+ * clients processing queries on a single TCP connection, so that all
+ * clients sharing the one socket will together consume only one slot in
+ * the 'tcp-clients' quota.
+ */
+static isc_result_t
+tcpconn_init(ns_client_t *client, isc_boolean_t force) {
+ isc_result_t result;
+ isc_quota_t *quota = NULL;
+ ns_tcpconn_t *tconn = NULL;
+
+ REQUIRE(client->tcpconn == NULL);
+
+ /*
+ * Try to attach to the quota first, so we won't pointlessly
+ * allocate memory for a tcpconn object if we can't get one.
+ */
+ if (force) {
+ result = isc_quota_force(&ns_g_server->tcpquota, &quota);
+ } else {
+ result = isc_quota_attach(&ns_g_server->tcpquota, &quota);
+ }
+ if (result != ISC_R_SUCCESS) {
+ return (result);
+ }
+
+ /*
+ * A global memory context is used for the allocation as different
+ * client structures may have different memory contexts assigned and a
+ * reference counter allocated here might need to be freed by a
+ * different client. The performance impact caused by memory context
+ * contention here is expected to be negligible, given that this code
+ * is only executed for TCP connections.
+ */
+ tconn = isc_mem_allocate(ns_g_mctx, sizeof(*tconn));
+
+ isc_refcount_init(&tconn->refs, 1);
+ tconn->tcpquota = quota;
+ quota = NULL;
+ tconn->pipelined = ISC_FALSE;
+
+ client->tcpconn = tconn;
+
+ return (ISC_R_SUCCESS);
+}
+
+/*%
+ * Increase the count of client structures sharing the TCP connection
+ * that 'source' is associated with; add a pointer to the same tcpconn
+ * to 'target', thus associating it with the same TCP connection.
+ */
+static void
+tcpconn_attach(ns_client_t *source, ns_client_t *target) {
+ int refs;
+
+ REQUIRE(source->tcpconn != NULL);
+ REQUIRE(target->tcpconn == NULL);
+ REQUIRE(source->tcpconn->pipelined);
+
+ isc_refcount_increment(&source->tcpconn->refs, &refs);
+ INSIST(refs > 1);
+ target->tcpconn = source->tcpconn;
+}
+
+/*%
+ * Decrease the count of client structures sharing the TCP connection that
+ * 'client' is associated with. If this is the last client using this TCP
+ * connection, we detach from the TCP quota and free the tcpconn
+ * object. Either way, client->tcpconn is set to NULL.
+ */
+static void
+tcpconn_detach(ns_client_t *client) {
+ ns_tcpconn_t *tconn = NULL;
+ int refs;
+
+ REQUIRE(client->tcpconn != NULL);
+
+ tconn = client->tcpconn;
+ client->tcpconn = NULL;
+
+ isc_refcount_decrement(&tconn->refs, &refs);
+ if (refs == 0) {
+ isc_quota_detach(&tconn->tcpquota);
+ isc_mem_free(ns_g_mctx, tconn);
+ }
+}
+
+/*%
+ * Mark a client as active and increment the interface's 'ntcpactive'
+ * counter, as a signal that there is at least one client servicing
+ * TCP queries for the interface. If we reach the TCP client quota at
+ * some point, this will be used to determine whether a quota overrun
+ * should be permitted.
+ *
+ * Marking the client active with the 'tcpactive' flag ensures proper
+ * accounting, by preventing us from incrementing or decrementing
+ * 'ntcpactive' more than once per client.
+ */
+static void
+mark_tcp_active(ns_client_t *client, isc_boolean_t active) {
+ if (active && !client->tcpactive) {
+ isc_atomic_xadd(&client->interface->ntcpactive, 1);
+ client->tcpactive = active;
+ } else if (!active && client->tcpactive) {
+ uint32_t old =
+ isc_atomic_xadd(&client->interface->ntcpactive, -1);
+ INSIST(old > 0);
+ client->tcpactive = active;
+ }
+}
+
/*%
* Check for a deactivation or shutdown request and take appropriate
* action. Returns ISC_TRUE if either is in progress; in this case
@@ -384,7 +497,8 @@ exit_check(ns_client_t *client) {
INSIST(client->recursionquota == NULL);
if (NS_CLIENTSTATE_READING == client->newstate) {
- if (!client->pipelined) {
+ INSIST(client->tcpconn != NULL);
+ if (!client->tcpconn->pipelined) {
client_read(client);
client->newstate = NS_CLIENTSTATE_MAX;
return (ISC_TRUE); /* We're done. */
@@ -402,10 +516,13 @@ exit_check(ns_client_t *client) {
*/
INSIST(client->recursionquota == NULL);
INSIST(client->newstate <= NS_CLIENTSTATE_READY);
- if (client->nreads > 0)
+
+ if (client->nreads > 0) {
dns_tcpmsg_cancelread(&client->tcpmsg);
- if (client->nreads != 0) {
- /* Still waiting for read cancel completion. */
+ }
+
+ /* Still waiting for read cancel completion. */
+ if (client->nreads > 0) {
return (ISC_TRUE);
}
@@ -413,14 +530,49 @@ exit_check(ns_client_t *client) {
dns_tcpmsg_invalidate(&client->tcpmsg);
client->tcpmsg_valid = ISC_FALSE;
}
+
+ /*
+ * Soon the client will be ready to accept a new TCP
+ * connection or UDP request, but we may have enough
+ * clients doing that already. Check whether this client
+ * needs to remain active and allow it go inactive if
+ * not.
+ *
+ * UDP clients always go inactive at this point, but a TCP
+ * client may need to stay active and return to READY
+ * state if no other clients are available to listen
+ * for TCP requests on this interface.
+ *
+ * Regardless, if we're going to FREED state, that means
+ * the system is shutting down and we don't need to
+ * retain clients.
+ */
+ if (client->mortal && TCP_CLIENT(client) &&
+ client->newstate != NS_CLIENTSTATE_FREED &&
+ !ns_g_clienttest &&
+ isc_atomic_xadd(&client->interface->ntcpaccepting, 0) == 0)
+ {
+ /* Nobody else is accepting */
+ client->mortal = ISC_FALSE;
+ client->newstate = NS_CLIENTSTATE_READY;
+ }
+
+ /*
+ * Detach from TCP connection and TCP client quota,
+ * if appropriate. If this is the last reference to
+ * the TCP connection in our pipeline group, the
+ * TCP quota slot will be released.
+ */
+ if (client->tcpconn) {
+ tcpconn_detach(client);
+ }
+
if (client->tcpsocket != NULL) {
CTRACE("closetcp");
isc_socket_detach(&client->tcpsocket);
+ mark_tcp_active(client, ISC_FALSE);
}
- if (client->tcpquota != NULL)
- isc_quota_detach(&client->tcpquota);
-
if (client->timerset) {
(void)isc_timer_reset(client->timer,
isc_timertype_inactive,
@@ -428,45 +580,26 @@ exit_check(ns_client_t *client) {
client->timerset = ISC_FALSE;
}
- client->pipelined = ISC_FALSE;
-
client->peeraddr_valid = ISC_FALSE;
client->state = NS_CLIENTSTATE_READY;
- INSIST(client->recursionquota == NULL);
-
- /*
- * Now the client is ready to accept a new TCP connection
- * or UDP request, but we may have enough clients doing
- * that already. Check whether this client needs to remain
- * active and force it to go inactive if not.
- *
- * UDP clients go inactive at this point, but TCP clients
- * may remain active if we have fewer active TCP client
- * objects than desired due to an earlier quota exhaustion.
- */
- if (client->mortal && TCP_CLIENT(client) && !ns_g_clienttest) {
- LOCK(&client->interface->lock);
- if (client->interface->ntcpcurrent <
- client->interface->ntcptarget)
- client->mortal = ISC_FALSE;
- UNLOCK(&client->interface->lock);
- }
/*
* We don't need the client; send it to the inactive
* queue for recycling.
*/
if (client->mortal) {
- if (client->newstate > NS_CLIENTSTATE_INACTIVE)
+ if (client->newstate > NS_CLIENTSTATE_INACTIVE) {
client->newstate = NS_CLIENTSTATE_INACTIVE;
+ }
}
if (NS_CLIENTSTATE_READY == client->newstate) {
if (TCP_CLIENT(client)) {
client_accept(client);
- } else
+ } else {
client_udprecv(client);
+ }
client->newstate = NS_CLIENTSTATE_MAX;
return (ISC_TRUE);
}
@@ -478,41 +611,51 @@ exit_check(ns_client_t *client) {
/*
* We are trying to enter the inactive state.
*/
- if (client->naccepts > 0)
+ if (client->naccepts > 0) {
isc_socket_cancel(client->tcplistener, client->task,
ISC_SOCKCANCEL_ACCEPT);
+ }
/* Still waiting for accept cancel completion. */
- if (! (client->naccepts == 0))
+ if (client->naccepts > 0) {
return (ISC_TRUE);
+ }
/* Accept cancel is complete. */
- if (client->nrecvs > 0)
+ if (client->nrecvs > 0) {
isc_socket_cancel(client->udpsocket, client->task,
ISC_SOCKCANCEL_RECV);
+ }
/* Still waiting for recv cancel completion. */
- if (! (client->nrecvs == 0))
+ if (client->nrecvs > 0) {
return (ISC_TRUE);
+ }
/* Still waiting for control event to be delivered */
- if (client->nctls > 0)
+ if (client->nctls > 0) {
return (ISC_TRUE);
-
- /* Deactivate the client. */
- if (client->interface)
- ns_interface_detach(&client->interface);
+ }
INSIST(client->naccepts == 0);
INSIST(client->recursionquota == NULL);
- if (client->tcplistener != NULL)
+ if (client->tcplistener != NULL) {
isc_socket_detach(&client->tcplistener);
+ mark_tcp_active(client, ISC_FALSE);
+ }
- if (client->udpsocket != NULL)
+ if (client->udpsocket != NULL) {
isc_socket_detach(&client->udpsocket);
+ }
- if (client->dispatch != NULL)
+ /* Deactivate the client. */
+ if (client->interface != NULL) {
+ ns_interface_detach(&client->interface);
+ }
+
+ if (client->dispatch != NULL) {
dns_dispatch_detach(&client->dispatch);
+ }
client->attributes = 0;
client->mortal = ISC_FALSE;
@@ -537,10 +680,13 @@ exit_check(ns_client_t *client) {
client->newstate = NS_CLIENTSTATE_MAX;
if (!ns_g_clienttest && manager != NULL &&
!manager->exiting)
+ {
ISC_QUEUE_PUSH(manager->inactive, client,
ilink);
- if (client->needshutdown)
+ }
+ if (client->needshutdown) {
isc_task_shutdown(client->task);
+ }
return (ISC_TRUE);
}
}
@@ -650,7 +796,7 @@ client_start(isc_task_t *task, isc_event_t *event) {
return;
if (TCP_CLIENT(client)) {
- if (client->pipelined) {
+ if (client->tcpconn != NULL) {
client_read(client);
} else {
client_accept(client);
@@ -660,7 +806,6 @@ client_start(isc_task_t *task, isc_event_t *event) {
}
}
-
/*%
* The client's task has received a shutdown event.
*/
@@ -2301,6 +2446,7 @@ client_request(isc_task_t *task, isc_event_t *event) {
client->nrecvs--;
} else {
INSIST(TCP_CLIENT(client));
+ INSIST(client->tcpconn != NULL);
REQUIRE(event->ev_type == DNS_EVENT_TCPMSG);
REQUIRE(event->ev_sender == &client->tcpmsg);
buffer = &client->tcpmsg.buffer;
@@ -2484,18 +2630,27 @@ client_request(isc_task_t *task, isc_event_t *event) {
/*
* Pipeline TCP query processing.
*/
- if (client->message->opcode != dns_opcode_query)
- client->pipelined = ISC_FALSE;
- if (TCP_CLIENT(client) && client->pipelined) {
- result = isc_quota_reserve(&ns_g_server->tcpquota);
- if (result == ISC_R_SUCCESS)
- result = ns_client_replace(client);
+ if (TCP_CLIENT(client) &&
+ client->message->opcode != dns_opcode_query)
+ {
+ client->tcpconn->pipelined = ISC_FALSE;
+ }
+ if (TCP_CLIENT(client) && client->tcpconn->pipelined) {
+ /*
+ * We're pipelining. Replace the client; the
+ * replacement can read the TCP socket looking
+ * for new messages and this one can process the
+ * current message asynchronously.
+ *
+ * There will now be at least three clients using this
+ * TCP socket - one accepting new connections,
+ * one reading an existing connection to get new
+ * messages, and one answering the message already
+ * received.
+ */
+ result = ns_client_replace(client);
if (result != ISC_R_SUCCESS) {
- ns_client_log(client, NS_LOGCATEGORY_CLIENT,
- NS_LOGMODULE_CLIENT, ISC_LOG_WARNING,
- "no more TCP clients(read): %s",
- isc_result_totext(result));
- client->pipelined = ISC_FALSE;
+ client->tcpconn->pipelined = ISC_FALSE;
}
}
@@ -3051,8 +3206,7 @@ client_create(ns_clientmgr_t *manager, ns_client_t **clientp) {
client->signer = NULL;
dns_name_init(&client->signername, NULL);
client->mortal = ISC_FALSE;
- client->pipelined = ISC_FALSE;
- client->tcpquota = NULL;
+ client->tcpconn = NULL;
client->recursionquota = NULL;
client->interface = NULL;
client->peeraddr_valid = ISC_FALSE;
@@ -3062,6 +3216,7 @@ client_create(ns_clientmgr_t *manager, ns_client_t **clientp) {
client->filter_aaaa = dns_aaaa_ok;
#endif
client->needshutdown = ns_g_clienttest;
+ client->tcpactive = ISC_FALSE;
ISC_EVENT_INIT(&client->ctlevent, sizeof(client->ctlevent), 0, NULL,
NS_EVENT_CLIENTCONTROL, client_start, client, client,
@@ -3156,9 +3311,10 @@ client_read(ns_client_t *client) {
static void
client_newconn(isc_task_t *task, isc_event_t *event) {
+ isc_result_t result;
ns_client_t *client = event->ev_arg;
isc_socket_newconnev_t *nevent = (isc_socket_newconnev_t *)event;
- isc_result_t result;
+ uint32_t old;
REQUIRE(event->ev_type == ISC_SOCKEVENT_NEWCONN);
REQUIRE(NS_CLIENT_VALID(client));
@@ -3168,13 +3324,18 @@ client_newconn(isc_task_t *task, isc_event_t *event) {
INSIST(client->state == NS_CLIENTSTATE_READY);
+ /*
+ * The accept() was successful and we're now establishing a new
+ * connection. We need to make note of it in the client and
+ * interface objects so client objects can do the right thing
+ * when going inactive in exit_check() (see comments in
+ * client_accept() for details).
+ */
INSIST(client->naccepts == 1);
client->naccepts--;
- LOCK(&client->interface->lock);
- INSIST(client->interface->ntcpcurrent > 0);
- client->interface->ntcpcurrent--;
- UNLOCK(&client->interface->lock);
+ old = isc_atomic_xadd(&client->interface->ntcpaccepting, -1);
+ INSIST(old > 0);
/*
* We must take ownership of the new socket before the exit
@@ -3207,6 +3368,7 @@ client_newconn(isc_task_t *task, isc_event_t *event) {
NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3),
"accept failed: %s",
isc_result_totext(nevent->result));
+ tcpconn_detach(client);
}
if (exit_check(client))
@@ -3244,20 +3406,13 @@ client_newconn(isc_task_t *task, isc_event_t *event) {
* telnetting to port 53 (once per CPU) will
* deny service to legitimate TCP clients.
*/
- client->pipelined = ISC_FALSE;
- result = isc_quota_attach(&ns_g_server->tcpquota,
- &client->tcpquota);
- if (result == ISC_R_SUCCESS)
- result = ns_client_replace(client);
- if (result != ISC_R_SUCCESS) {
- ns_client_log(client, NS_LOGCATEGORY_CLIENT,
- NS_LOGMODULE_CLIENT, ISC_LOG_WARNING,
- "no more TCP clients(accept): %s",
- isc_result_totext(result));
- } else if (ns_g_server->keepresporder == NULL ||
- !allowed(&netaddr, NULL, NULL, 0, NULL,
- ns_g_server->keepresporder)) {
- client->pipelined = ISC_TRUE;
+ result = ns_client_replace(client);
+ if (result == ISC_R_SUCCESS &&
+ (ns_g_server->keepresporder == NULL ||
+ !allowed(&netaddr, NULL, NULL, 0, NULL,
+ ns_g_server->keepresporder)))
+ {
+ client->tcpconn->pipelined = ISC_TRUE;
}
client_read(client);
@@ -3273,12 +3428,66 @@ client_accept(ns_client_t *client) {
CTRACE("accept");
+ /*
+ * Set up a new TCP connection. This means try to attach to the
+ * TCP client quota (tcp-clients), but fail if we're over quota.
+ */
+ result = tcpconn_init(client, ISC_FALSE);
+ if (result != ISC_R_SUCCESS) {
+ isc_boolean_t exit;
+
+ ns_client_log(client, NS_LOGCATEGORY_CLIENT,
+ NS_LOGMODULE_CLIENT, ISC_LOG_WARNING,
+ "TCP client quota reached: %s",
+ isc_result_totext(result));
+
+ /*
+ * We have exceeded the system-wide TCP client quota. But,
+ * we can't just block this accept in all cases, because if
+ * we did, a heavy TCP load on other interfaces might cause
+ * this interface to be starved, with no clients able to
+ * accept new connections.
+ *
+ * So, we check here to see if any other clients are
+ * already servicing TCP queries on this interface (whether
+ * accepting, reading, or processing). If we find that at
+ * least one client other than this one is active, then
+ * it's okay *not* to call accept - we can let this
+ * client go inactive and another will take over when it's
+ * done.
+ *
+ * If there aren't enough active clients on the interface,
+ * then we can be a little bit flexible about the quota.
+ * We'll allow *one* extra client through to ensure we're
+ * listening on every interface; we do this by setting the
+ * 'force' option to tcpconn_init().
+ *
+ * (Note: In practice this means that the real TCP client
+ * quota is tcp-clients plus the number of listening
+ * interfaces plus 1.)
+ */
+ exit = (isc_atomic_xadd(&client->interface->ntcpactive, 0) >
+ (client->tcpactive ? 1 : 0));
+ if (exit) {
+ client->newstate = NS_CLIENTSTATE_INACTIVE;
+ (void)exit_check(client);
+ return;
+ }
+
+ result = tcpconn_init(client, ISC_TRUE);
+ RUNTIME_CHECK(result == ISC_R_SUCCESS);
+ }
+
+ /*
+ * If this client was set up using get_client() or get_worker(),
+ * then TCP is already marked active. However, if it was restarted
+ * from exit_check(), it might not be, so we take care of it now.
+ */
+ mark_tcp_active(client, ISC_TRUE);
+
result = isc_socket_accept(client->tcplistener, client->task,
client_newconn, client);
if (result != ISC_R_SUCCESS) {
- UNEXPECTED_ERROR(__FILE__, __LINE__,
- "isc_socket_accept() failed: %s",
- isc_result_totext(result));
/*
* XXXRTH What should we do? We're trying to accept but
* it didn't work. If we just give up, then TCP
@@ -3286,13 +3495,37 @@ client_accept(ns_client_t *client) {
*
* For now, we just go idle.
*/
+ UNEXPECTED_ERROR(__FILE__, __LINE__,
+ "isc_socket_accept() failed: %s",
+ isc_result_totext(result));
+
+ tcpconn_detach(client);
+ mark_tcp_active(client, ISC_FALSE);
return;
}
+
+ /*
+ * The client's 'naccepts' counter indicates that this client has
+ * called accept() and is waiting for a new connection. It should
+ * never exceed 1.
+ */
INSIST(client->naccepts == 0);
client->naccepts++;
- LOCK(&client->interface->lock);
- client->interface->ntcpcurrent++;
- UNLOCK(&client->interface->lock);
+
+ /*
+ * The interface's 'ntcpaccepting' counter is incremented when
+ * any client calls accept(), and decremented in client_newconn()
+ * once the connection is established.
+ *
+ * When the client object is shutting down after handling a TCP
+ * request (see exit_check()), if this value is at least one, that
+ * means another client has called accept() and is waiting to
+ * establish the next connection. That means the client may be
+ * be free to become inactive; otherwise it may need to start
+ * listening for connections itself to prevent the interface
+ * going dead.
+ */
+ isc_atomic_xadd(&client->interface->ntcpaccepting, 1);
}
static void
@@ -3363,15 +3596,17 @@ ns_client_replace(ns_client_t *client) {
REQUIRE(client->manager != NULL);
tcp = TCP_CLIENT(client);
- if (tcp && client->pipelined) {
+ if (tcp && client->tcpconn != NULL && client->tcpconn->pipelined) {
result = get_worker(client->manager, client->interface,
- client->tcpsocket);
+ client->tcpsocket, client);
} else {
result = get_client(client->manager, client->interface,
client->dispatch, tcp);
+
}
- if (result != ISC_R_SUCCESS)
+ if (result != ISC_R_SUCCESS) {
return (result);
+ }
/*
* The responsibility for listening for new requests is hereby
@@ -3557,9 +3792,12 @@ get_client(ns_clientmgr_t *manager, ns_interface_t *ifp,
client->dscp = ifp->dscp;
if (tcp) {
+ mark_tcp_active(client, ISC_TRUE);
+
client->attributes |= NS_CLIENTATTR_TCP;
isc_socket_attach(ifp->tcpsocket,
&client->tcplistener);
+
} else {
isc_socket_t *sock;
@@ -3577,7 +3815,8 @@ get_client(ns_clientmgr_t *manager, ns_interface_t *ifp,
}
static isc_result_t
-get_worker(ns_clientmgr_t *manager, ns_interface_t *ifp, isc_socket_t *sock)
+get_worker(ns_clientmgr_t *manager, ns_interface_t *ifp, isc_socket_t *sock,
+ ns_client_t *oldclient)
{
isc_result_t result = ISC_R_SUCCESS;
isc_event_t *ev;
@@ -3585,6 +3824,7 @@ get_worker(ns_clientmgr_t *manager, ns_interface_t *ifp, isc_socket_t *sock)
MTRACE("get worker");
REQUIRE(manager != NULL);
+ REQUIRE(oldclient != NULL);
if (manager->exiting)
return (ISC_R_SHUTTINGDOWN);
@@ -3617,14 +3857,15 @@ get_worker(ns_clientmgr_t *manager, ns_interface_t *ifp, isc_socket_t *sock)
ns_interface_attach(ifp, &client->interface);
client->newstate = client->state = NS_CLIENTSTATE_WORKING;
INSIST(client->recursionquota == NULL);
- client->tcpquota = &ns_g_server->tcpquota;
client->dscp = ifp->dscp;
client->attributes |= NS_CLIENTATTR_TCP;
- client->pipelined = ISC_TRUE;
client->mortal = ISC_TRUE;
+ tcpconn_attach(oldclient, client);
+ mark_tcp_active(client, ISC_TRUE);
+
isc_socket_attach(ifp->tcpsocket, &client->tcplistener);
isc_socket_attach(sock, &client->tcpsocket);
isc_socket_setname(client->tcpsocket, "worker-tcp", NULL);
diff --git a/bin/named/include/named/client.h b/bin/named/include/named/client.h
index 262b906..0f54d22 100644
--- a/bin/named/include/named/client.h
+++ b/bin/named/include/named/client.h
@@ -9,8 +9,6 @@
* information regarding copyright ownership.
*/
-/* $Id: client.h,v 1.96 2012/01/31 23:47:31 tbox Exp $ */
-
#ifndef NAMED_CLIENT_H
#define NAMED_CLIENT_H 1
@@ -77,6 +75,13 @@
*** Types
***/
+/*% reference-counted TCP connection object */
+typedef struct ns_tcpconn {
+ isc_refcount_t refs;
+ isc_quota_t *tcpquota;
+ isc_boolean_t pipelined;
+} ns_tcpconn_t;
+
/*% nameserver client structure */
struct ns_client {
unsigned int magic;
@@ -91,6 +96,7 @@ struct ns_client {
int nupdates;
int nctls;
int references;
+ isc_boolean_t tcpactive;
isc_boolean_t needshutdown; /*
* Used by clienttest to get
* the client to go from
@@ -129,8 +135,7 @@ struct ns_client {
dns_name_t signername; /*%< [T]SIG key name */
dns_name_t * signer; /*%< NULL if not valid sig */
isc_boolean_t mortal; /*%< Die after handling request */
- isc_boolean_t pipelined; /*%< TCP queries not in sequence */
- isc_quota_t *tcpquota;
+ ns_tcpconn_t *tcpconn;
isc_quota_t *recursionquota;
ns_interface_t *interface;
diff --git a/bin/named/include/named/interfacemgr.h b/bin/named/include/named/interfacemgr.h
index 36870f3..d9ac90f 100644
--- a/bin/named/include/named/interfacemgr.h
+++ b/bin/named/include/named/interfacemgr.h
@@ -9,8 +9,6 @@
* information regarding copyright ownership.
*/
-/* $Id: interfacemgr.h,v 1.35 2011/07/28 23:47:58 tbox Exp $ */
-
#ifndef NAMED_INTERFACEMGR_H
#define NAMED_INTERFACEMGR_H 1
@@ -75,9 +73,14 @@ struct ns_interface {
/*%< UDP dispatchers. */
isc_socket_t * tcpsocket; /*%< TCP socket. */
isc_dscp_t dscp; /*%< "listen-on" DSCP value */
- int ntcptarget; /*%< Desired number of concurrent
- TCP accepts */
- int ntcpcurrent; /*%< Current ditto, locked */
+ int32_t ntcpaccepting; /*%< Number of clients
+ ready to accept new
+ TCP connections on this
+ interface */
+ int32_t ntcpactive; /*%< Number of clients
+ servicing TCP queries
+ (whether accepting or
+ connected) */
int nudpdispatch; /*%< Number of UDP dispatches */
ns_clientmgr_t * clientmgr; /*%< Client manager. */
ISC_LINK(ns_interface_t) link;
diff --git a/bin/named/interfacemgr.c b/bin/named/interfacemgr.c
index d8c7188..96c080b 100644
--- a/bin/named/interfacemgr.c
+++ b/bin/named/interfacemgr.c
@@ -384,8 +384,9 @@ ns_interface_create(ns_interfacemgr_t *mgr, isc_sockaddr_t *addr,
* connections will be handled in parallel even though there is
* only one client initially.
*/
- ifp->ntcptarget = 1;
- ifp->ntcpcurrent = 0;
+ ifp->ntcpaccepting = 0;
+ ifp->ntcpactive = 0;
+
ifp->nudpdispatch = 0;
ifp->dscp = -1;
@@ -520,9 +521,7 @@ ns_interface_accepttcp(ns_interface_t *ifp) {
*/
(void)isc_socket_filter(ifp->tcpsocket, "dataready");
- result = ns_clientmgr_createclients(ifp->clientmgr,
- ifp->ntcptarget, ifp,
- ISC_TRUE);
+ result = ns_clientmgr_createclients(ifp->clientmgr, 1, ifp, ISC_TRUE);
if (result != ISC_R_SUCCESS) {
UNEXPECTED_ERROR(__FILE__, __LINE__,
"TCP ns_clientmgr_createclients(): %s",
diff --git a/lib/isc/include/isc/quota.h b/lib/isc/include/isc/quota.h
index b9bf598..36c5830 100644
--- a/lib/isc/include/isc/quota.h
+++ b/lib/isc/include/isc/quota.h
@@ -100,6 +100,13 @@ isc_quota_attach(isc_quota_t *quota, isc_quota_t **p);
* quota if successful (ISC_R_SUCCESS or ISC_R_SOFTQUOTA).
*/
+isc_result_t
+isc_quota_force(isc_quota_t *quota, isc_quota_t **p);
+/*%<
+ * Like isc_quota_attach, but will attach '*p' to the quota
+ * even if the hard quota has been exceeded.
+ */
+
void
isc_quota_detach(isc_quota_t **p);
/*%<
diff --git a/lib/isc/quota.c b/lib/isc/quota.c
index 3ddff0d..20976a4 100644
--- a/lib/isc/quota.c
+++ b/lib/isc/quota.c
@@ -74,20 +74,39 @@ isc_quota_release(isc_quota_t *quota) {
UNLOCK(&quota->lock);
}
-isc_result_t
-isc_quota_attach(isc_quota_t *quota, isc_quota_t **p)
-{
+static isc_result_t
+doattach(isc_quota_t *quota, isc_quota_t **p, isc_boolean_t force) {
isc_result_t result;
- INSIST(p != NULL && *p == NULL);
+ REQUIRE(p != NULL && *p == NULL);
+
result = isc_quota_reserve(quota);
- if (result == ISC_R_SUCCESS || result == ISC_R_SOFTQUOTA)
+ if (result == ISC_R_SUCCESS || result == ISC_R_SOFTQUOTA) {
+ *p = quota;
+ } else if (result == ISC_R_QUOTA && force) {
+ /* attach anyway */
+ LOCK(&quota->lock);
+ quota->used++;
+ UNLOCK(&quota->lock);
+
*p = quota;
+ result = ISC_R_SUCCESS;
+ }
+
return (result);
}
+isc_result_t
+isc_quota_attach(isc_quota_t *quota, isc_quota_t **p) {
+ return (doattach(quota, p, ISC_FALSE));
+}
+
+isc_result_t
+isc_quota_force(isc_quota_t *quota, isc_quota_t **p) {
+ return (doattach(quota, p, ISC_TRUE));
+}
+
void
-isc_quota_detach(isc_quota_t **p)
-{
+isc_quota_detach(isc_quota_t **p) {
INSIST(p != NULL && *p != NULL);
isc_quota_release(*p);
*p = NULL;
--
2.20.1

44
SOURCES/bind-9.11-CVE-2018-5744-test.patch
View File

@ -1,44 +0,0 @@
From 4b9bfa5c8cae6f81e94af0f582bf9686320144db Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Mon, 10 Dec 2018 13:33:54 +1100
Subject: [PATCH] check that multiple KEY-TAG trust-anchor-telemetry options
don't leak memory
(cherry picked from commit 4b1dc4a5445e9561f2208f9388cf9f9e2cfcbe51)
(cherry picked from commit f545e9dff1f0eadcdea5531ef7062324d232c716)
(cherry picked from commit 2bda5ac2e1635ac10a595c4ff155516ded7abec2)
---
bin/tests/system/dnssec/tests.sh | 13 ++++++++++++-
1 file changed, 12 insertions(+), 1 deletion(-)
diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh
index 3156668..b1907c7 100644
--- a/bin/tests/system/dnssec/tests.sh
+++ b/bin/tests/system/dnssec/tests.sh
@@ -3508,11 +3508,22 @@ status=`expr $status + $ret`
echo_i "check that KEY-TAG trust-anchor-telemetry queries are logged ($n)"
ret=0
-$DIG $DIGOPTS . dnskey +ednsopt=KEY-TAG:ffff @10.53.0.1 > dig.out.ns4.test$n || ret=1
+$DIG $DIGOPTS . dnskey +ednsopt=KEY-TAG:ffff @10.53.0.1 > dig.out.ns1.test$n || ret=1
grep "trust-anchor-telemetry './IN' from .* 65535" ns1/named.run > /dev/null || ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
+echo_i "check that multiple KEY-TAG trust-anchor-telemetry options don't leak memory ($n)"
+ret=0
+$DIG $DIGOPTS . dnskey +ednsopt=KEY-TAG:fffe +ednsopt=KEY-TAG:fffd @10.53.0.1 > dig.out.ns1.test$n || ret=1
+grep "trust-anchor-telemetry './IN' from .* 65534" ns1/named.run > /dev/null || ret=1
+grep "trust-anchor-telemetry './IN' from .* 65533" ns1/named.run > /dev/null && ret=1
+(cd "$SYSTEMTESTTOP" && $PERL ./stop.pl dnssec ns1) || ret=1
+(cd "$SYSTEMTESTTOP" && $PERL ./start.pl --noclean --restart --port ${PORT} dnssec ns1) || ret=1
+n=`expr $n + 1`
+test "$ret" -eq 0 || echo_i "failed"
+status=`expr $status + $ret`
+
echo_i "exit status: $status"
[ $status -eq 0 ] || exit 1
--
2.20.1

31
SOURCES/bind-9.11-CVE-2018-5744.patch
View File

@ -1,31 +0,0 @@
From a4e1db793d4971d87631276ea57808074ed2c1c7 Mon Sep 17 00:00:00 2001
From: Petr Mensik <pemensik@redhat.com>
Date: Thu, 21 Feb 2019 17:23:53 +0100
Subject: [PATCH 1/3] Fix CVE-2018-5744
5110. [security] Named leaked memory if there were multiple Key Tag
EDNS options present. (CVE-2018-5744) [GL #772]
---
bin/named/client.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/bin/named/client.c b/bin/named/client.c
index b9ebc93..b7d8a98 100644
--- a/bin/named/client.c
+++ b/bin/named/client.c
@@ -2112,6 +2112,12 @@ process_keytag(ns_client_t *client, isc_buffer_t *buf, size_t optlen) {
return (DNS_R_OPTERR);
}
+ /* Silently drop additional keytag options. */
+ if (client->keytag != NULL) {
+ isc_buffer_forward(buf, (unsigned int)optlen);
+ return (ISC_R_SUCCESS);
+ }
+
client->keytag = isc_mem_get(client->mctx, optlen);
if (client->keytag != NULL) {
client->keytag_len = (isc_uint16_t)optlen;
--
2.20.1

48
SOURCES/bind-9.11-CVE-2019-6471.patch
View File

@ -1,48 +0,0 @@
From 66c074b707318005d50f14910678ba451877a7a6 Mon Sep 17 00:00:00 2001
From: Petr Mensik <pemensik@redhat.com>
Date: Wed, 19 Jun 2019 12:28:08 +0200
Subject: [PATCH] Fix CVE-2019-6471
5244. [security] Fixed a race condition in dns_dispatch_getnext()
that could cause an assertion failure if a
significant number of incoming packets were
rejected. (CVE-2019-6471) [GL #942]
---
lib/dns/dispatch.c | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/lib/dns/dispatch.c b/lib/dns/dispatch.c
index 321459ebcb..ae5c9c0fc7 100644
--- a/lib/dns/dispatch.c
+++ b/lib/dns/dispatch.c
@@ -3419,13 +3419,14 @@ dns_dispatch_getnext(dns_dispentry_t *resp, dns_dispatchevent_t **sockevent) {
disp = resp->disp;
REQUIRE(VALID_DISPATCH(disp));
- REQUIRE(resp->item_out == ISC_TRUE);
- resp->item_out = ISC_FALSE;
-
ev = *sockevent;
*sockevent = NULL;
LOCK(&disp->lock);
+
+ REQUIRE(resp->item_out == ISC_TRUE);
+ resp->item_out = ISC_FALSE;
+
if (ev->buffer.base != NULL)
free_buffer(disp, ev->buffer.base, ev->buffer.length);
free_devent(disp, ev);
@@ -3570,6 +3571,9 @@ dns_dispatch_removeresponse(dns_dispentry_t **resp,
isc_task_send(disp->task[0], &disp->ctlevent);
}
+/*
+ * disp must be locked.
+ */
static void
do_cancel(dns_dispatch_t *disp) {
dns_dispatchevent_t *ev;
--
2.20.1

171
SOURCES/bind-9.11-dhcp-time-monotonic.patch Normal file
View File

@ -0,0 +1,171 @@
diff --git a/lib/isc/include/isc/result.h b/lib/isc/include/isc/result.h
index 0389efa..149cde5 100644
--- a/lib/isc/include/isc/result.h
+++ b/lib/isc/include/isc/result.h
@@ -89,7 +89,8 @@
#define ISC_R_DISCFULL 67 /*%< disc full */
#define ISC_R_DEFAULT 68 /*%< default */
#define ISC_R_IPV4PREFIX 69 /*%< IPv4 prefix */
-#define ISC_R_NRESULTS 70
+#define ISC_R_TIMESHIFTED 70 /*%< system time changed */
+#define ISC_R_NRESULTS 71
ISC_LANG_BEGINDECLS
diff --git a/lib/isc/include/isc/util.h b/lib/isc/include/isc/util.h
index 973c348..cceeb5e 100644
--- a/lib/isc/include/isc/util.h
+++ b/lib/isc/include/isc/util.h
@@ -289,6 +289,10 @@ extern void mock_assert(const int result, const char* const expression,
* Time
*/
#define TIME_NOW(tp) RUNTIME_CHECK(isc_time_now((tp)) == ISC_R_SUCCESS)
+#ifdef CLOCK_BOOTTIME
+#define TIME_MONOTONIC(tp) RUNTIME_CHECK(isc_time_boottime((tp)) == ISC_R_SUCCESS)
+#endif
+
/*%
* Alignment
diff --git a/lib/isc/result.c b/lib/isc/result.c
index a9db132..f33fc6b 100644
--- a/lib/isc/result.c
+++ b/lib/isc/result.c
@@ -105,6 +105,7 @@ static const char *description[ISC_R_NRESULTS] = {
"disc full", /*%< 67 */
"default", /*%< 68 */
"IPv4 prefix", /*%< 69 */
+ "time changed", /*%< 70 */
};
static const char *identifier[ISC_R_NRESULTS] = {
@@ -178,6 +179,7 @@ static const char *identifier[ISC_R_NRESULTS] = {
"ISC_R_DISCFULL",
"ISC_R_DEFAULT",
"ISC_R_IPV4PREFIX",
+ "ISC_R_TIMESHIFTED",
};
#define ISC_RESULT_RESULTSET 2
diff --git a/lib/isc/unix/app.c b/lib/isc/unix/app.c
index a6e9882..286fe95 100644
--- a/lib/isc/unix/app.c
+++ b/lib/isc/unix/app.c
@@ -442,15 +442,47 @@ isc__app_ctxonrun(isc_appctx_t *ctx0, isc_mem_t *mctx, isc_task_t *task,
static isc_result_t
evloop(isc__appctx_t *ctx) {
isc_result_t result;
+ isc_time_t now;
+#ifdef CLOCK_BOOTTIME
+ isc_time_t monotonic;
+ isc_uint64_t diff = 0;
+#else
+ isc_time_t prev;
+ TIME_NOW(&prev);
+#endif
while (!ctx->want_shutdown) {
int n;
- isc_time_t when, now;
+ isc_time_t when;
struct timeval tv, *tvp;
isc_socketwait_t *swait;
bool readytasks;
bool call_timer_dispatch = false;
+ uint64_t us;
+
+#ifdef CLOCK_BOOTTIME
+ // TBD macros for following three lines
+ TIME_NOW(&now);
+ TIME_MONOTONIC(&monotonic);
+ INSIST(now.seconds > monotonic.seconds)
+ us = isc_time_microdiff (&now, &monotonic);
+ if (us < diff){
+ us = diff - us;
+ if (us > 1000000){ // ignoring shifts less than one second
+ return ISC_R_TIMESHIFTED;
+ };
+ diff = isc_time_microdiff (&now, &monotonic);
+ } else {
+ diff = isc_time_microdiff (&now, &monotonic);
+ // not implemented
+ }
+#else
+ TIME_NOW(&now);
+ if (isc_time_compare (&now, &prev) < 0)
+ return ISC_R_TIMESHIFTED;
+ TIME_NOW(&prev);
+#endif
/*
* Check the reload (or suspend) case first for exiting the
* loop as fast as possible in case:
@@ -475,7 +507,6 @@ evloop(isc__appctx_t *ctx) {
if (result != ISC_R_SUCCESS)
tvp = NULL;
else {
- uint64_t us;
TIME_NOW(&now);
us = isc_time_microdiff(&when, &now);
diff --git a/lib/isc/unix/include/isc/time.h b/lib/isc/unix/include/isc/time.h
index b864c29..5dd43c9 100644
--- a/lib/isc/unix/include/isc/time.h
+++ b/lib/isc/unix/include/isc/time.h
@@ -132,6 +132,26 @@ isc_time_isepoch(const isc_time_t *t);
*\li 't' is a valid pointer.
*/
+#ifdef CLOCK_BOOTTIME
+isc_result_t
+isc_time_boottime(isc_time_t *t);
+/*%<
+ * Set 't' to monotonic time from previous boot
+ * it's not affected by system time change. It also
+ * includes the time system was suspended
+ *
+ * Requires:
+ *\li 't' is a valid pointer.
+ *
+ * Returns:
+ *
+ *\li Success
+ *\li Unexpected error
+ * Getting the time from the system failed.
+ */
+#endif /* CLOCK_BOOTTIME */
+
+
isc_result_t
isc_time_now(isc_time_t *t);
/*%<
diff --git a/lib/isc/unix/time.c b/lib/isc/unix/time.c
index 8edc9df..fe0bb91 100644
--- a/lib/isc/unix/time.c
+++ b/lib/isc/unix/time.c
@@ -498,3 +498,25 @@ isc_time_formatISO8601ms(const isc_time_t *t, char *buf, unsigned int len) {
t->nanoseconds / NS_PER_MS);
}
}
+
+
+#ifdef CLOCK_BOOTTIME
+isc_result_t
+isc_time_boottime(isc_time_t *t) {
+ struct timespec ts;
+
+ char strbuf[ISC_STRERRORSIZE];
+
+ if (clock_gettime (CLOCK_BOOTTIME, &ts) != 0){
+ isc__strerror(errno, strbuf, sizeof(strbuf));
+ UNEXPECTED_ERROR(__FILE__, __LINE__, "%s", strbuf);
+ return (ISC_R_UNEXPECTED);
+ }
+
+ t->seconds = ts.tv_sec;
+ t->nanoseconds = ts.tv_nsec;
+
+ return (ISC_R_SUCCESS);
+
+};
+#endif

27
SOURCES/bind-9.11-engine-pkcs11.patch Normal file
View File

@ -0,0 +1,27 @@
From 37f89ccfc439f8d86c401d9ae10e94e53b924961 Mon Sep 17 00:00:00 2001
From: Petr Mensik <pemensik@redhat.com>
Date: Tue, 27 Aug 2019 20:39:59 +0200
Subject: [PATCH] Do not set engine for native PKCS11
It resets already set lib_path to pkcs11, which is invalid in native
pkcs11 crypto. Engine has to be path to PKCS#11 module.
---
bin/named/include/named/globals.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/bin/named/include/named/globals.h b/bin/named/include/named/globals.h
index eda2214..2a611d5 100644
--- a/bin/named/include/named/globals.h
+++ b/bin/named/include/named/globals.h
@@ -160,7 +160,7 @@ EXTERN const char * ns_g_defaultdnstap INIT(NULL);
EXTERN const char * ns_g_username INIT(NULL);
-#if defined(USE_PKCS11)
+#if defined(USE_PKCS11) && !defined(PKCS11CRYPTO)
EXTERN const char * ns_g_engine INIT(PKCS11_ENGINE);
#else
EXTERN const char * ns_g_engine INIT(NULL);
--
2.20.1

14
SOURCES/bind-9.11-export-suffix.patch
View File

@ -1,8 +1,8 @@
diff --git a/configure.in b/configure.in
index e6cd6a4..988b0a7 100644
--- a/configure.in
+++ b/configure.in
@@ -5116,6 +5116,8 @@ AC_SUBST(BUILD_CPPFLAGS)
diff --git a/configure.ac b/configure.ac
index c1bfd62..7c5ad51 100644
--- a/configure.ac
+++ b/configure.ac
@@ -5333,6 +5333,8 @@ AC_SUBST(BUILD_CPPFLAGS)
AC_SUBST(BUILD_LDFLAGS)
AC_SUBST(BUILD_LIBS)
@ -12,10 +12,10 @@ index e6cd6a4..988b0a7 100644
# Commands to run at the end of config.status.
# Don't just put these into configure, it won't work right if somebody
diff --git a/isc-config.sh.in b/isc-config.sh.in
index 110191a..5a64004 100644
index b5e94ed..d2857e0 100644
--- a/isc-config.sh.in
+++ b/isc-config.sh.in
@@ -12,16 +12,17 @@ prefix=@prefix@
@@ -13,16 +13,17 @@ prefix=@prefix@
exec_prefix=@exec_prefix@
exec_prefix_set=
includedir=@includedir@

533
SOURCES/bind-9.11-fips-code.patch
View File

File diff suppressed because it is too large Load Diff

121
SOURCES/bind-9.11-fips-disable.patch Normal file
View File

@ -0,0 +1,121 @@
From 83b889c238282b210f874a3ad81bb56299767495 Mon Sep 17 00:00:00 2001
From: Petr Mensik <pemensik@redhat.com>
Date: Mon, 5 Aug 2019 11:54:03 +0200
Subject: [PATCH] Allow explicit disabling of autodisabled MD5
Default security policy might include explicitly disabled RSAMD5
algorithm. Current FIPS code automatically disables in FIPS mode. But if
RSAMD5 is included in security policy, it fails to start, because that
algorithm is not recognized. Allow it disabled, but fail on any
other usage.
---
bin/named/server.c | 4 ++--
lib/bind9/check.c | 4 ++++
lib/dns/rcode.c | 33 +++++++++++++++------------------
3 files changed, 21 insertions(+), 20 deletions(-)
diff --git a/bin/named/server.c b/bin/named/server.c
index 5b57371..51702ab 100644
--- a/bin/named/server.c
+++ b/bin/named/server.c
@@ -1547,12 +1547,12 @@ disable_algorithms(const cfg_obj_t *disabled, dns_resolver_t *resolver) {
r.length = strlen(r.base);
result = dns_secalg_fromtext(&alg, &r);
- if (result != ISC_R_SUCCESS) {
+ if (result != ISC_R_SUCCESS && result != ISC_R_DISABLED) {
uint8_t ui;
result = isc_parse_uint8(&ui, r.base, 10);
alg = ui;
}
- if (result != ISC_R_SUCCESS) {
+ if (result != ISC_R_SUCCESS && result != ISC_R_DISABLED) {
cfg_obj_log(cfg_listelt_value(element),
ns_g_lctx, ISC_LOG_ERROR,
"invalid algorithm");
diff --git a/lib/bind9/check.c b/lib/bind9/check.c
index e0803d4..8023784 100644
--- a/lib/bind9/check.c
+++ b/lib/bind9/check.c
@@ -302,6 +302,10 @@ disabled_algorithms(const cfg_obj_t *disabled, isc_log_t *logctx) {
r.length = strlen(r.base);
tresult = dns_secalg_fromtext(&alg, &r);
+ if (tresult == ISC_R_DISABLED) {
+ // Recognize disabled algorithms, disable it explicitly
+ tresult = ISC_R_SUCCESS;
+ }
if (tresult != ISC_R_SUCCESS) {
cfg_obj_log(cfg_listelt_value(element), logctx,
ISC_LOG_ERROR, "invalid algorithm '%s'",
diff --git a/lib/dns/rcode.c b/lib/dns/rcode.c
index f51d548..c49b8d1 100644
--- a/lib/dns/rcode.c
+++ b/lib/dns/rcode.c
@@ -126,7 +126,6 @@
#endif
#define SECALGNAMES \
- MD5_SECALGNAMES \
DH_SECALGNAMES \
DSA_SECALGNAMES \
{ DNS_KEYALG_ECC, "ECC", 0 }, \
@@ -178,6 +177,7 @@ static struct tbl rcodes[] = { RCODENAMES ERCODENAMES };
static struct tbl tsigrcodes[] = { RCODENAMES TSIGRCODENAMES };
static struct tbl certs[] = { CERTNAMES };
static struct tbl secalgs[] = { SECALGNAMES };
+static struct tbl md5_secalgs[] = { MD5_SECALGNAMES };
static struct tbl secprotos[] = { SECPROTONAMES };
static struct tbl hashalgs[] = { HASHALGNAMES };
static struct tbl dsdigests[] = { DSDIGESTNAMES };
@@ -358,33 +358,30 @@ dns_cert_totext(dns_cert_t cert, isc_buffer_t *target) {
return (dns_mnemonic_totext(cert, target, certs));
}
-static inline struct tbl *
-secalgs_tbl_start() {
- struct tbl *algs = secalgs;
-
-#ifndef PK11_MD5_DISABLE
- if (!isc_md5_available()) {
- while (algs->name != NULL &&
- algs->value == DNS_KEYALG_RSAMD5)
- ++algs;
- }
-#endif
- return algs;
-}
-
isc_result_t
dns_secalg_fromtext(dns_secalg_t *secalgp, isc_textregion_t *source) {
unsigned int value;
+ isc_result_t result;
- RETERR(dns_mnemonic_fromtext(&value, source,
- secalgs_tbl_start(), 0xff));
+ result = dns_mnemonic_fromtext(&value, source,
+ secalgs, 0xff);
+ if (result != ISC_R_SUCCESS) {
+ result = dns_mnemonic_fromtext(&value, source,
+ md5_secalgs, 0xff);
+ if (result != ISC_R_SUCCESS) {
+ return (result);
+ } else if (!isc_md5_available()) {
+ *secalgp = value;
+ return (ISC_R_DISABLED);
+ }
+ }
*secalgp = value;
return (ISC_R_SUCCESS);
}
isc_result_t
dns_secalg_totext(dns_secalg_t secalg, isc_buffer_t *target) {
- return (dns_mnemonic_totext(secalg, target, secalgs_tbl_start()));
+ return (dns_mnemonic_totext(secalg, target, secalgs));
}
void
--
2.20.1

615
SOURCES/bind-9.11-fips-tests.patch
View File

File diff suppressed because it is too large Load Diff

40
SOURCES/bind-9.11-host-idn-disable.patch
View File

@ -1,4 +1,4 @@
From 145fac914bf47128307aea702fed7eb74b65cadd Mon Sep 17 00:00:00 2001
From ec50eff97c259b5bfbfa4e050d69fe7b39b0f15a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
Date: Tue, 25 Sep 2018 18:08:46 +0200
Subject: [PATCH] Disable IDN from environment as documented
@ -12,16 +12,16 @@ Support variable CHARSET=ASCII to disable IDN, supported in downstream
RH patch since RHEL 5.
---
bin/dig/dig.docbook | 4 +++-
bin/dig/dighost.c | 9 +++++++--
bin/dig/dighost.c | 5 +++++
bin/dig/host.docbook | 2 +-
bin/dig/nslookup.docbook | 15 +++++++++++++++
4 files changed, 26 insertions(+), 4 deletions(-)
4 files changed, 24 insertions(+), 2 deletions(-)
diff --git a/bin/dig/dig.docbook b/bin/dig/dig.docbook
index fedd288..d5dba72 100644
index 5d19301..933af79 100644
--- a/bin/dig/dig.docbook
+++ b/bin/dig/dig.docbook
@@ -1288,7 +1288,9 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
@@ -1312,7 +1312,9 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
reply from the server.
If you'd like to turn off the IDN support for some reason, use
parameters <parameter>+noidnin</parameter> and
@ -33,34 +33,26 @@ index fedd288..d5dba72 100644
</refsection>
diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c
index 7408193..d46379d 100644
index 5eabc1f..73aaab8 100644
--- a/bin/dig/dighost.c
+++ b/bin/dig/dighost.c
@@ -822,12 +822,17 @@ make_empty_lookup(void) {
looknew->seenbadcookie = ISC_FALSE;
looknew->badcookie = ISC_TRUE;
@@ -826,6 +826,11 @@ make_empty_lookup(void) {
looknew->badcookie = true;
#ifdef WITH_IDN_SUPPORT
- looknew->idnin = ISC_TRUE;
+ looknew->idnin = (getenv("IDN_DISABLE") == NULL);
looknew->idnin = isatty(1)?(getenv("IDN_DISABLE") == NULL):false;
+ if (looknew->idnin) {
+ const char *charset = getenv("CHARSET");
+ if (charset && !strcmp(charset, "ASCII"))
+ looknew->idnin = ISC_FALSE;
+ looknew->idnin = false;
+ }
#else
looknew->idnin = ISC_FALSE;
#endif
#ifdef WITH_IDN_OUT_SUPPORT
- looknew->idnout = ISC_TRUE;
+ looknew->idnout = looknew->idnin;
#else
looknew->idnout = ISC_FALSE;
looknew->idnin = false;
#endif
diff --git a/bin/dig/host.docbook b/bin/dig/host.docbook
index 9c3aeaa..42cbbf9 100644
index da0f8fb..9689b5a 100644
--- a/bin/dig/host.docbook
+++ b/bin/dig/host.docbook
@@ -378,7 +378,7 @@
@@ -379,7 +379,7 @@
<command>host</command> appropriately converts character encoding of
domain name before sending a request to DNS server or displaying a
reply from the server.
@ -70,10 +62,10 @@ index 9c3aeaa..42cbbf9 100644
The IDN support is disabled if the variable is set when
<command>host</command> runs.
diff --git a/bin/dig/nslookup.docbook b/bin/dig/nslookup.docbook
index 3aff4e9..86a09c6 100644
index d46fc2d..6d7d181 100644
--- a/bin/dig/nslookup.docbook
+++ b/bin/dig/nslookup.docbook
@@ -478,6 +478,21 @@ nslookup -query=hinfo -timeout=10
@@ -495,6 +495,21 @@ nslookup -query=hinfo -timeout=10
</para>
</refsection>
@ -96,5 +88,5 @@ index 3aff4e9..86a09c6 100644
<para><filename>/etc/resolv.conf</filename>
--
2.14.4
2.20.1

50
SOURCES/bind-9.11-json-c.patch Normal file
View File

@ -0,0 +1,50 @@
From cb6d2019766a6c8c5516fd8859cedf0052f03293 Mon Sep 17 00:00:00 2001
From: Petr Mensik <pemensik@redhat.com>
Date: Thu, 25 Jul 2019 11:37:57 +0200
Subject: [PATCH] Skip support of jsoncpp
Bind cannot be compiled when jsoncpp-devel is installed. Remove support
for jsoncpp, use only json-c-devel. Bind 9.15 has already support for
--with-json-c, do not yet introduce it.
---
configure.ac | 17 ++---------------
1 file changed, 2 insertions(+), 15 deletions(-)
diff --git a/configure.ac b/configure.ac
index 6d05337..5ce83b5 100644
--- a/configure.ac
+++ b/configure.ac
@@ -2594,15 +2594,7 @@ case "$use_libjson" in
auto|yes)
for d in /usr /usr/local /opt/local
do
- if test -f "${d}/include/json/json.h"
- then
- if test ${d} != /usr
- then
- libjson_cflags="-I ${d}/include"
- LIBS="$LIBS -L${d}/lib"
- fi
- have_libjson="yes"
- elif test -f "${d}/include/json-c/json.h"
+ if test -f "${d}/include/json-c/json.h"
then
if test ${d} != /usr
then
@@ -2615,12 +2607,7 @@ case "$use_libjson" in
done
;;
*)
- if test -f "${use_libjson}/include/json/json.h"
- then
- libjson_cflags="-I${use_libjson}/include"
- LIBS="$LIBS -L${use_libjson}/lib"
- have_libjson="yes"
- elif test -f "${use_libjson}/include/json-c/json.h"
+ if test -f "${use_libjson}/include/json-c/json.h"
then
libjson_cflags="-I${use_libjson}/include"
LIBS="$LIBS -L${use_libjson}/lib"
--
2.20.1

106
SOURCES/bind-9.11-kyua-pkcs11.patch
View File

@ -1,4 +1,4 @@
From d0433a314534e104f52acf2a0a96a68dd84305ae Mon Sep 17 00:00:00 2001
From eb38d2278937ec3fe45d0af30cd080953bbb5b54 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
Date: Tue, 2 Jan 2018 18:13:07 +0100
Subject: [PATCH] Fix pkcs11 variants atf tests
@ -7,20 +7,19 @@ Add dns-pkcs11 tests Makefile to configure
Add pkcs11 Kyuafile, fix dh_test to pass in pkcs11 mode
---
configure.in | 1 +
lib/Atffile | 2 ++
configure.ac | 1 +
lib/Kyuafile | 2 ++
lib/dns-pkcs11/tests/Makefile.in | 10 +++++-----
lib/dns-pkcs11/tests/dh_test.c | 3 ++-
lib/isc-pkcs11/tests/Makefile.in | 6 +++---
lib/isc-pkcs11/tests/hash_test.c | 32 +++++++++++++++++++++++++-------
7 files changed, 40 insertions(+), 16 deletions(-)
6 files changed, 38 insertions(+), 16 deletions(-)
diff --git a/configure.in b/configure.in
index 67b3aab..4767eeb 100644
--- a/configure.in
+++ b/configure.in
@@ -5579,6 +5579,7 @@ AC_CONFIG_FILES([
diff --git a/configure.ac b/configure.ac
index 0532feb..a83ddd5 100644
--- a/configure.ac
+++ b/configure.ac
@@ -5578,6 +5578,7 @@ AC_CONFIG_FILES([
lib/dns-pkcs11/include/Makefile
lib/dns-pkcs11/include/dns/Makefile
lib/dns-pkcs11/include/dst/Makefile
@ -28,25 +27,11 @@ index 67b3aab..4767eeb 100644
lib/irs/Makefile
lib/irs/include/Makefile
lib/irs/include/irs/Makefile
diff --git a/lib/Atffile b/lib/Atffile
index 93bbb01..4db3dce 100644
--- a/lib/Atffile
+++ b/lib/Atffile
@@ -3,7 +3,9 @@ Content-Type: application/X-atf-atffile; version="1"
prop: test-suite = bind9
tp: dns
+tp: dns-pkcs11
tp: irs
tp: isc
+tp: isc-pkcs11
tp: isccfg
tp: lwres
diff --git a/lib/Kyuafile b/lib/Kyuafile
index ff9fc56..eaaf0dc 100644
index 7c8bab0..eec9564 100644
--- a/lib/Kyuafile
+++ b/lib/Kyuafile
@@ -2,7 +2,9 @@ syntax(2)
@@ -2,8 +2,10 @@ syntax(2)
test_suite('bind9')
include('dns/Kyuafile')
@ -54,67 +39,68 @@ index ff9fc56..eaaf0dc 100644
include('irs/Kyuafile')
include('isc/Kyuafile')
+include('isc-pkcs11/Kyuafile')
include('isccc/Kyuafile')
include('isccfg/Kyuafile')
include('lwres/Kyuafile')
diff --git a/lib/dns-pkcs11/tests/Makefile.in b/lib/dns-pkcs11/tests/Makefile.in
index 2a6571b..f25a784 100644
index 7671e1d..e237d5c 100644
--- a/lib/dns-pkcs11/tests/Makefile.in
+++ b/lib/dns-pkcs11/tests/Makefile.in
@@ -20,12 +20,12 @@ VERSION=@BIND9_VERSION@
@@ -17,12 +17,12 @@ VERSION=@BIND9_VERSION@
CINCLUDES = -I. -Iinclude ${DNS_INCLUDES} ${ISC_INCLUDES} \
@DST_OPENSSL_INC@
-CDEFINES = @CRYPTO@ -DTESTS="\"${top_builddir}/lib/dns/tests/\""
+CDEFINES = @CRYPTO@ -DTESTS="\"${top_builddir}/lib/dns-pkcs11/tests/\""
+CDEFINES = @CRYPTO_PK11@ -DTESTS="\"${top_builddir}/lib/dns-pkcs11/tests/\""
-ISCLIBS = ../../isc/libisc.@A@
-ISCDEPLIBS = ../../isc/libisc.@A@
-DNSLIBS = ../libdns.@A@ @DNS_CRYPTO_LIBS@
-DNSLIBS = ../libdns.@A@ ${MAXMINDDB_LIBS} @DNS_CRYPTO_LIBS@
-DNSDEPLIBS = ../libdns.@A@
+ISCLIBS = ../../isc-pkcs11/libisc-pkcs11.@A@
+ISCDEPLIBS = ../../isc-pkcs11/libisc-pkcs11.@A@
+DNSLIBS = ../libdns-pkcs11.@A@ @DNS_CRYPTO_LIBS@
+DNSLIBS = ../libdns-pkcs11.@A@ ${MAXMINDDB_LIBS} @DNS_CRYPTO_LIBS@
+DNSDEPLIBS = ../libdns-pkcs11.@A@
LIBS = @LIBS@ @ATFLIBS@
LIBS = @LIBS@ @CMOCKA_LIBS@
CFLAGS = @CFLAGS@ @CMOCKA_CFLAGS@
diff --git a/lib/dns-pkcs11/tests/dh_test.c b/lib/dns-pkcs11/tests/dh_test.c
index 036d27a..eb6554f 100644
index 4dbfd82..a383b8e 100644
--- a/lib/dns-pkcs11/tests/dh_test.c
+++ b/lib/dns-pkcs11/tests/dh_test.c
@@ -63,7 +63,8 @@ ATF_TC_BODY(isc_dh_computesecret, tc) {
ret = dst_key_computesecret(key, key, &buf);
ATF_REQUIRE_EQ(ret, DST_R_NOTPRIVATEKEY);
ret = key->func->computesecret(key, key, &buf);
- ATF_REQUIRE_EQ(ret, DST_R_COMPUTESECRETFAILURE);
@@ -86,7 +86,8 @@ dh_computesecret(void **state) {
result = dst_key_computesecret(key, key, &buf);
assert_int_equal(result, DST_R_NOTPRIVATEKEY);
result = key->func->computesecret(key, key, &buf);
- assert_int_equal(result, DST_R_COMPUTESECRETFAILURE);
+ /* PKCS11 variant gives different result, accept both */
+ ATF_REQUIRE(ret == DST_R_COMPUTESECRETFAILURE || ret == DST_R_INVALIDPRIVATEKEY);
+ assert_true(result == DST_R_COMPUTESECRETFAILURE || result == DST_R_INVALIDPRIVATEKEY);
dst_key_free(&key);
dns_test_end();
}
diff --git a/lib/isc-pkcs11/tests/Makefile.in b/lib/isc-pkcs11/tests/Makefile.in
index f7fa538..818dae4 100644
index 2fdee0b..a263b35 100644
--- a/lib/isc-pkcs11/tests/Makefile.in
+++ b/lib/isc-pkcs11/tests/Makefile.in
@@ -17,10 +17,10 @@ VERSION=@BIND9_VERSION@
@@ -16,10 +16,10 @@ VERSION=@BIND9_VERSION@
@BIND9_MAKE_INCLUDES@
CINCLUDES = -I. -Iinclude ${ISC_INCLUDES} @ISC_OPENSSL_INC@
-CDEFINES = @CRYPTO@ -DTESTS="\"${top_builddir}/lib/isc/tests/\""
+CDEFINES = @CRYPTO@ -DTESTS="\"${top_builddir}/lib/isc-pkcs11/tests/\""
+CDEFINES = @CRYPTO_PK11@ -DTESTS="\"${top_builddir}/lib/isc-pkcs11/tests/\""
-ISCLIBS = ../libisc.@A@ @ISC_OPENSSL_LIBS@
-ISCDEPLIBS = ../libisc.@A@
+ISCLIBS = ../libisc-pkcs11.@A@ @ISC_OPENSSL_LIBS@
+ISCDEPLIBS = ../libisc-pkcs11.@A@
LIBS = @LIBS@ @ATFLIBS@
LIBS = @LIBS@ @CMOCKA_LIBS@
CFLAGS = @CFLAGS@ @CMOCKA_CFLAGS@
diff --git a/lib/isc-pkcs11/tests/hash_test.c b/lib/isc-pkcs11/tests/hash_test.c
index 5b8a374..c1891c2 100644
index 9c4d299..d9deba2 100644
--- a/lib/isc-pkcs11/tests/hash_test.c
+++ b/lib/isc-pkcs11/tests/hash_test.c
@@ -74,7 +74,7 @@ typedef struct hash_testcase {
@@ -85,7 +85,7 @@ typedef struct hash_testcase {
typedef struct hash_test_key {
const char *key;
@ -123,7 +109,7 @@ index 5b8a374..c1891c2 100644
} hash_test_key_t;
/* non-hmac tests */
@@ -957,8 +957,11 @@ ATF_TC_BODY(isc_hmacsha1, tc) {
@@ -956,8 +956,11 @@ isc_hmacsha1_test(void **state) {
hash_test_key_t *test_key = test_keys;
while (testcase->input != NULL && testcase->result != NULL) {
@ -134,9 +120,9 @@ index 5b8a374..c1891c2 100644
- isc_hmacsha1_init(&hmacsha1, buffer, test_key->len);
+ isc_hmacsha1_init(&hmacsha1, buffer, len);
isc_hmacsha1_update(&hmacsha1,
(const isc_uint8_t *) testcase->input,
(const uint8_t *) testcase->input,
testcase->input_len);
@@ -1120,8 +1123,11 @@ ATF_TC_BODY(isc_hmacsha224, tc) {
@@ -1116,8 +1119,11 @@ isc_hmacsha224_test(void **state) {
hash_test_key_t *test_key = test_keys;
while (testcase->input != NULL && testcase->result != NULL) {
@ -147,9 +133,9 @@ index 5b8a374..c1891c2 100644
- isc_hmacsha224_init(&hmacsha224, buffer, test_key->len);
+ isc_hmacsha224_init(&hmacsha224, buffer, len);
isc_hmacsha224_update(&hmacsha224,
(const isc_uint8_t *) testcase->input,
(const uint8_t *) testcase->input,
testcase->input_len);
@@ -1283,8 +1289,11 @@ ATF_TC_BODY(isc_hmacsha256, tc) {
@@ -1277,8 +1283,11 @@ isc_hmacsha256_test(void **state) {
hash_test_key_t *test_key = test_keys;
while (testcase->input != NULL && testcase->result != NULL) {
@ -160,9 +146,9 @@ index 5b8a374..c1891c2 100644
- isc_hmacsha256_init(&hmacsha256, buffer, test_key->len);
+ isc_hmacsha256_init(&hmacsha256, buffer, len);
isc_hmacsha256_update(&hmacsha256,
(const isc_uint8_t *) testcase->input,
(const uint8_t *) testcase->input,
testcase->input_len);
@@ -1452,8 +1461,11 @@ ATF_TC_BODY(isc_hmacsha384, tc) {
@@ -1444,8 +1453,11 @@ isc_hmacsha384_test(void **state) {
hash_test_key_t *test_key = test_keys;
while (testcase->input != NULL && testcase->result != NULL) {
@ -173,9 +159,9 @@ index 5b8a374..c1891c2 100644
- isc_hmacsha384_init(&hmacsha384, buffer, test_key->len);
+ isc_hmacsha384_init(&hmacsha384, buffer, len);
isc_hmacsha384_update(&hmacsha384,
(const isc_uint8_t *) testcase->input,
(const uint8_t *) testcase->input,
testcase->input_len);
@@ -1621,8 +1633,11 @@ ATF_TC_BODY(isc_hmacsha512, tc) {
@@ -1611,8 +1623,11 @@ isc_hmacsha512_test(void **state) {
hash_test_key_t *test_key = test_keys;
while (testcase->input != NULL && testcase->result != NULL) {
@ -186,9 +172,9 @@ index 5b8a374..c1891c2 100644
- isc_hmacsha512_init(&hmacsha512, buffer, test_key->len);
+ isc_hmacsha512_init(&hmacsha512, buffer, len);
isc_hmacsha512_update(&hmacsha512,
(const isc_uint8_t *) testcase->input,
(const uint8_t *) testcase->input,
testcase->input_len);
@@ -1765,8 +1780,11 @@ ATF_TC_BODY(isc_hmacmd5, tc) {
@@ -1755,8 +1770,11 @@ isc_hmacmd5_test(void **state) {
hash_test_key_t *test_key = test_keys;
while (testcase->input != NULL && testcase->result != NULL) {
@ -199,8 +185,8 @@ index 5b8a374..c1891c2 100644
- isc_hmacmd5_init(&hmacmd5, buffer, test_key->len);
+ isc_hmacmd5_init(&hmacmd5, buffer, len);
isc_hmacmd5_update(&hmacmd5,
(const isc_uint8_t *) testcase->input,
(const uint8_t *) testcase->input,
testcase->input_len);
--
2.14.3
2.20.1

32
SOURCES/bind-9.11-oot-manual.patch
View File

@ -1,4 +1,4 @@
From e462d022a9dc52c40aece6f8ba3123ff3ffa59ed Mon Sep 17 00:00:00 2001
From 8ca95f47231822df2b9c171a4da1e93ca5b748eb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
Date: Wed, 25 Jul 2018 12:24:16 +0200
Subject: [PATCH] Use make automatic variables to install updated manuals
@ -19,7 +19,7 @@ Install all files in single command instead of iterating on each of them.
9 files changed, 54 insertions(+), 38 deletions(-)
diff --git a/bin/check/Makefile.in b/bin/check/Makefile.in
index 12f48d2d23..d8eac4c714 100644
index c124e80..1174f8d 100644
--- a/bin/check/Makefile.in
+++ b/bin/check/Makefile.in
@@ -83,12 +83,14 @@ installdirs:
@ -35,13 +35,13 @@ index 12f48d2d23..d8eac4c714 100644
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named-checkconf@EXEEXT@ ${DESTDIR}${sbindir}
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named-checkzone@EXEEXT@ ${DESTDIR}${sbindir}
(cd ${DESTDIR}${sbindir}; rm -f named-compilezone@EXEEXT@; ${LINK_PROGRAM} named-checkzone@EXEEXT@ named-compilezone@EXEEXT@)
- for m in ${MANPAGES}; do ${INSTALL_DATA} ${srcdir}/$$m ${DESTDIR}${mandir}/man8; done
- for m in ${MANPAGES}; do ${INSTALL_DATA} ${srcdir}/$$m ${DESTDIR}${mandir}/man8 || exit 1; done
- (cd ${DESTDIR}${mandir}/man8; rm -f named-compilezone.8; ${LINK_PROGRAM} named-checkzone.8 named-compilezone.8)
uninstall::
rm -f ${DESTDIR}${mandir}/man8/named-compilezone.8
diff --git a/bin/confgen/Makefile.in b/bin/confgen/Makefile.in
index 87f13dda4b..7865c0c73e 100644
index 87f13dd..7865c0c 100644
--- a/bin/confgen/Makefile.in
+++ b/bin/confgen/Makefile.in
@@ -95,13 +95,14 @@ installdirs:
@ -64,7 +64,7 @@ index 87f13dda4b..7865c0c73e 100644
uninstall::
rm -f ${DESTDIR}${mandir}/man8/tsig-keygen.8
diff --git a/bin/delv/Makefile.in b/bin/delv/Makefile.in
index e2d2802262..19361a83ea 100644
index e2d2802..19361a8 100644
--- a/bin/delv/Makefile.in
+++ b/bin/delv/Makefile.in
@@ -63,10 +63,12 @@ installdirs:
@ -83,7 +83,7 @@ index e2d2802262..19361a83ea 100644
uninstall::
rm -f ${DESTDIR}${mandir}/man1/delv.1
diff --git a/bin/dig/Makefile.in b/bin/dig/Makefile.in
index 773ac46395..3edd951e7e 100644
index a9830a9..d7ac0b6 100644
--- a/bin/dig/Makefile.in
+++ b/bin/dig/Makefile.in
@@ -91,16 +91,16 @@ installdirs:
@ -102,13 +102,13 @@ index 773ac46395..3edd951e7e 100644
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} \
nslookup@EXEEXT@ ${DESTDIR}${bindir}
- for m in ${MANPAGES}; do \
- ${INSTALL_DATA} ${srcdir}/$$m ${DESTDIR}${mandir}/man1; \
- ${INSTALL_DATA} ${srcdir}/$$m ${DESTDIR}${mandir}/man1 || exit 1; \
- done
uninstall::
for m in ${MANPAGES}; do \
diff --git a/bin/dnssec/Makefile.in b/bin/dnssec/Makefile.in
index 1be1d5ffc6..1d0c4ce5c1 100644
index 2239ad1..ce0a177 100644
--- a/bin/dnssec/Makefile.in
+++ b/bin/dnssec/Makefile.in
@@ -110,9 +110,11 @@ installdirs:
@ -120,16 +120,16 @@ index 1be1d5ffc6..1d0c4ce5c1 100644
+ ${INSTALL_DATA} $^ ${DESTDIR}${mandir}/man8
+
+install:: ${TARGETS} installdirs install-man8
for t in ${TARGETS}; do ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} $$t ${DESTDIR}${sbindir}; done
- for m in ${MANPAGES}; do ${INSTALL_DATA} ${srcdir}/$$m ${DESTDIR}${mandir}/man8; done
for t in ${TARGETS}; do ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} $$t ${DESTDIR}${sbindir} || exit 1; done
- for m in ${MANPAGES}; do ${INSTALL_DATA} ${srcdir}/$$m ${DESTDIR}${mandir}/man8 || exit 1; done
uninstall::
for m in ${MANPAGES}; do rm -f ${DESTDIR}${mandir}/man8/$$m ; done
for m in ${MANPAGES}; do rm -f ${DESTDIR}${mandir}/man8/$$m || exit 1; done
diff --git a/bin/named/Makefile.in b/bin/named/Makefile.in
index 1c413973d0..03e4cb849b 100644
index e1f85a9..d92bc9a 100644
--- a/bin/named/Makefile.in
+++ b/bin/named/Makefile.in
@@ -172,12 +172,17 @@ installdirs:
@@ -176,12 +176,17 @@ installdirs:
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man5
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8
@ -152,7 +152,7 @@ index 1c413973d0..03e4cb849b 100644
uninstall::
rm -f ${DESTDIR}${mandir}/man5/named.conf.5
diff --git a/bin/pkcs11/Makefile.in b/bin/pkcs11/Makefile.in
index ae9061626c..a058c91214 100644
index ae90616..a058c91 100644
--- a/bin/pkcs11/Makefile.in
+++ b/bin/pkcs11/Makefile.in
@@ -71,7 +71,10 @@ installdirs:
@ -179,7 +179,7 @@ index ae9061626c..a058c91214 100644
uninstall::
rm -f ${DESTDIR}${mandir}/man8/pkcs11-tokens.8
diff --git a/bin/python/Makefile.in b/bin/python/Makefile.in
index aa678d47ab..064c404e2f 100644
index aa678d4..064c404 100644
--- a/bin/python/Makefile.in
+++ b/bin/python/Makefile.in
@@ -47,13 +47,13 @@ installdirs:
@ -201,7 +201,7 @@ index aa678d47ab..064c404e2f 100644
if test -n "${DESTDIR}" ; then \
${PYTHON} ${srcdir}/setup.py install --root=${DESTDIR} --prefix=${prefix} @PYTHON_INSTALL_LIB@ ; \
diff --git a/bin/tools/Makefile.in b/bin/tools/Makefile.in
index 7bf2af4cea..c395bc7462 100644
index 7bf2af4..c395bc7 100644
--- a/bin/tools/Makefile.in
+++ b/bin/tools/Makefile.in
@@ -119,17 +119,27 @@ installdirs:

14
SOURCES/bind-9.11-rh1410433.patch
View File

@ -1,14 +1,16 @@
diff --git a/lib/dns/dyndb.c b/lib/dns/dyndb.c
index 0ce5e42..556d920 100644
index 15561ce..e4449b0 100644
--- a/lib/dns/dyndb.c
+++ b/lib/dns/dyndb.c
@@ -130,9 +130,6 @@ load_library(isc_mem_t *mctx, const char *filename, const char *instname,
@@ -133,8 +133,11 @@ load_library(isc_mem_t *mctx, const char *filename, const char *instname,
instname, filename);
flags = RTLD_NOW|RTLD_LOCAL;
-#ifdef RTLD_DEEPBIND
- flags |= RTLD_DEEPBIND;
-#endif
+#if 0
+ /* Shared global namespace is required for dns-pkcs11 library */
#if defined(RTLD_DEEPBIND) && !__SANITIZE_ADDRESS__
flags |= RTLD_DEEPBIND;
+#endif
#endif
handle = dlopen(filename, flags);
if (handle == NULL)

128
SOURCES/bind-9.11-rh1624100.patch
View File

@ -1,4 +1,4 @@
From 25ff8ab2b0772262d358272a3ed70a24fc6e4887 Mon Sep 17 00:00:00 2001
From 76594cba9a1e910bb36160d96fc3872349341799 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@sury.org>
Date: Wed, 25 Apr 2018 14:04:31 +0200
Subject: [PATCH] Replace isc_safe routines with their OpenSSL counter parts
@ -14,20 +14,20 @@ Fix the isc_safe_memwipe() usage with (NULL, >0)
(cherry picked from commit 083461d3329ff6f2410745848a926090586a9846)
---
bin/dnssec/dnssec-signzone.c | 2 +-
lib/dns/nsec3.c | 4 +--
lib/dns/spnego.c | 4 +--
lib/isc/Makefile.in | 8 ++---
lib/isc/include/isc/safe.h | 18 ++++------
lib/isc/safe.c | 81 --------------------------------------------
lib/isc/tests/safe_test.c | 20 -----------
7 files changed, 13 insertions(+), 124 deletions(-)
lib/dns/nsec3.c | 4 +-
lib/dns/spnego.c | 4 +-
lib/isc/Makefile.in | 8 +---
lib/isc/include/isc/safe.h | 18 ++------
lib/isc/safe.c | 83 ------------------------------------
lib/isc/tests/safe_test.c | 18 --------
7 files changed, 11 insertions(+), 126 deletions(-)
delete mode 100644 lib/isc/safe.c
diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c
index 53be1f5c60..351296a356 100644
index 6ddaebe..d921870 100644
--- a/bin/dnssec/dnssec-signzone.c
+++ b/bin/dnssec/dnssec-signzone.c
@@ -786,7 +786,7 @@ hashlist_add_dns_name(hashlist_t *l, /*const*/ dns_name_t *name,
@@ -787,7 +787,7 @@ hashlist_add_dns_name(hashlist_t *l, /*const*/ dns_name_t *name,
static int
hashlist_comp(const void *a, const void *b) {
@ -37,10 +37,10 @@ index 53be1f5c60..351296a356 100644
static void
diff --git a/lib/dns/nsec3.c b/lib/dns/nsec3.c
index d364308aaf..37b6a8a7fe 100644
index 6ae7ca8..01426d6 100644
--- a/lib/dns/nsec3.c
+++ b/lib/dns/nsec3.c
@@ -1950,7 +1950,7 @@ dns_nsec3_noexistnodata(dns_rdatatype_t type, dns_name_t* name,
@@ -1963,7 +1963,7 @@ dns_nsec3_noexistnodata(dns_rdatatype_t type, dns_name_t* name,
* Work out what this NSEC3 covers.
* Inside (<0) or outside (>=0).
*/
@ -49,7 +49,7 @@ index d364308aaf..37b6a8a7fe 100644
/*
* Prepare to compute all the hashes.
@@ -1974,7 +1974,7 @@ dns_nsec3_noexistnodata(dns_rdatatype_t type, dns_name_t* name,
@@ -1987,7 +1987,7 @@ dns_nsec3_noexistnodata(dns_rdatatype_t type, dns_name_t* name,
return (ISC_R_IGNORE);
}
@ -59,10 +59,10 @@ index d364308aaf..37b6a8a7fe 100644
/*
* The hashes are the same.
diff --git a/lib/dns/spnego.c b/lib/dns/spnego.c
index ce3e42d650..079d4c1b4a 100644
index ad77f24..670982a 100644
--- a/lib/dns/spnego.c
+++ b/lib/dns/spnego.c
@@ -369,7 +369,7 @@ gssapi_spnego_decapsulate(OM_uint32 *,
@@ -371,7 +371,7 @@ gssapi_spnego_decapsulate(OM_uint32 *,
/* mod_auth_kerb.c */
@ -71,7 +71,7 @@ index ce3e42d650..079d4c1b4a 100644
cmp_gss_type(gss_buffer_t token, gss_OID gssoid)
{
unsigned char *p;
@@ -393,7 +393,7 @@ cmp_gss_type(gss_buffer_t token, gss_OID gssoid)
@@ -395,7 +395,7 @@ cmp_gss_type(gss_buffer_t token, gss_OID gssoid)
if (((OM_uint32) *p++) != gssoid->length)
return (GSS_S_DEFECTIVE_TOKEN);
@ -81,15 +81,15 @@ index ce3e42d650..079d4c1b4a 100644
/* accept_sec_context.c */
diff --git a/lib/isc/Makefile.in b/lib/isc/Makefile.in
index ba53ef1091..98acffffc9 100644
index 0fd0837..8ad54bb 100644
--- a/lib/isc/Makefile.in
+++ b/lib/isc/Makefile.in
@@ -60,7 +60,7 @@ OBJS = @ISC_EXTRA_OBJS@ @ISC_PK11_O@ @ISC_PK11_RESULT_O@ \
parseint.@O@ portset.@O@ quota.@O@ radix.@O@ random.@O@ \
ratelimiter.@O@ refcount.@O@ region.@O@ regex.@O@ result.@O@ \
rwlock.@O@ \
- safe.@O@ serial.@O@ sha1.@O@ sha2.@O@ sockaddr.@O@ stats.@O@ \
+ serial.@O@ sha1.@O@ sha2.@O@ sockaddr.@O@ stats.@O@ \
- safe.@O@ serial.@O@ siphash.@O@ sha1.@O@ sha2.@O@ sockaddr.@O@ stats.@O@ \
+ serial.@O@ siphash.@O@ sha1.@O@ sha2.@O@ sockaddr.@O@ stats.@O@ \
string.@O@ strtoul.@O@ symtab.@O@ task.@O@ taskpool.@O@ \
tm.@O@ timer.@O@ version.@O@ \
${UNIXOBJS} ${NLSOBJS} ${THREADOBJS}
@ -97,8 +97,8 @@ index ba53ef1091..98acffffc9 100644
netaddr.c netscope.c pool.c ondestroy.c \
parseint.c portset.c quota.c radix.c random.c ${CHACHASRCS} \
ratelimiter.c refcount.c region.c regex.c result.c rwlock.c \
- safe.c serial.c sha1.c sha2.c sockaddr.c stats.c string.c \
+ serial.c sha1.c sha2.c sockaddr.c stats.c string.c \
- safe.c serial.c siphash.c sha1.c sha2.c sockaddr.c stats.c string.c \
+ serial.c siphash.c sha1.c sha2.c sockaddr.c stats.c string.c \
strtoul.c symtab.c task.c taskpool.c timer.c \
tm.c version.c
@ -114,28 +114,28 @@ index ba53ef1091..98acffffc9 100644
${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
-DVERSION=\"${VERSION}\" \
diff --git a/lib/isc/include/isc/safe.h b/lib/isc/include/isc/safe.h
index f29f00bac6..b8a0b2290c 100644
index 66ed08b..88b8f47 100644
--- a/lib/isc/include/isc/safe.h
+++ b/lib/isc/include/isc/safe.h
@@ -15,27 +15,21 @@
@@ -15,29 +15,19 @@
/*! \file isc/safe.h */
-#include <stdbool.h>
-
-#include <isc/types.h>
-#include <stdlib.h>
+#include <isc/boolean.h>
+#include <isc/lang.h>
+
+#include <openssl/crypto.h>
ISC_LANG_BEGINDECLS
-isc_boolean_t
-bool
-isc_safe_memequal(const void *s1, const void *s2, size_t n);
+#define isc_safe_memequal(s1, s2, n) ISC_TF(!CRYPTO_memcmp(s1, s2, n))
+#define isc_safe_memequal(s1, s2, n) !CRYPTO_memcmp(s1, s2, n)
/*%<
* Returns ISC_TRUE iff. two blocks of memory are equal, otherwise
* ISC_FALSE.
* Returns true iff. two blocks of memory are equal, otherwise
* false.
*
*/
@ -153,10 +153,10 @@ index f29f00bac6..b8a0b2290c 100644
*
diff --git a/lib/isc/safe.c b/lib/isc/safe.c
deleted file mode 100644
index 5c9e1e2d13..0000000000
index 7a464b6..0000000
--- a/lib/isc/safe.c
+++ /dev/null
@@ -1,81 +0,0 @@
@@ -1,83 +0,0 @@
-/*
- * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- *
@ -172,6 +172,8 @@ index 5c9e1e2d13..0000000000
-
-#include <config.h>
-
-#include <stdbool.h>
-
-#include <isc/safe.h>
-#include <isc/string.h>
-#include <isc/util.h>
@ -184,18 +186,18 @@ index 5c9e1e2d13..0000000000
-#pragma optimize("", off)
-#endif
-
-isc_boolean_t
-bool
-isc_safe_memequal(const void *s1, const void *s2, size_t n) {
- isc_uint8_t acc = 0;
- uint8_t acc = 0;
-
- if (n != 0U) {
- const isc_uint8_t *p1 = s1, *p2 = s2;
- const uint8_t *p1 = s1, *p2 = s2;
-
- do {
- acc |= *p1++ ^ *p2++;
- } while (--n != 0U);
- }
- return (ISC_TF(acc == 0));
- return (acc == 0);
-}
-
-
@ -239,35 +241,33 @@ index 5c9e1e2d13..0000000000
-#endif
-}
diff --git a/lib/isc/tests/safe_test.c b/lib/isc/tests/safe_test.c
index f721cd1096..ea3e61f98d 100644
index 266ac75..60e9181 100644
--- a/lib/isc/tests/safe_test.c
+++ b/lib/isc/tests/safe_test.c
@@ -39,24 +39,6 @@ ATF_TC_BODY(isc_safe_memequal, tc) {
@@ -45,22 +45,6 @@ isc_safe_memequal_test(void **state) {
"\x00\x00\x00\x00", 4));
}
-ATF_TC(isc_safe_memcompare);
-ATF_TC_HEAD(isc_safe_memcompare, tc) {
- atf_tc_set_md_var(tc, "descr", "safe memcompare()");
-}
-ATF_TC_BODY(isc_safe_memcompare, tc) {
- UNUSED(tc);
-/* test isc_safe_memcompare() */
-static void
-isc_safe_memcompare_test(void **state) {
- UNUSED(state);
-
- ATF_CHECK(isc_safe_memcompare("test", "test", 4) == 0);
- ATF_CHECK(isc_safe_memcompare("test", "tesc", 4) > 0);
- ATF_CHECK(isc_safe_memcompare("test", "tesy", 4) < 0);
- ATF_CHECK(isc_safe_memcompare("\x00\x00\x00\x00",
- "\x00\x00\x00\x00", 4) == 0);
- ATF_CHECK(isc_safe_memcompare("\x00\x00\x00\x00",
- assert_int_equal(isc_safe_memcompare("test", "test", 4), 0);
- assert_true(isc_safe_memcompare("test", "tesc", 4) > 0);
- assert_true(isc_safe_memcompare("test", "tesy", 4) < 0);
- assert_int_equal(isc_safe_memcompare("\x00\x00\x00\x00",
- "\x00\x00\x00\x00", 4), 0);
- assert_true(isc_safe_memcompare("\x00\x00\x00\x00",
- "\x00\x00\x00\x01", 4) < 0);
- ATF_CHECK(isc_safe_memcompare("\x00\x00\x00\x02",
- assert_true(isc_safe_memcompare("\x00\x00\x00\x02",
- "\x00\x00\x00\x00", 4) > 0);
-}
-
ATF_TC(isc_safe_memwipe);
ATF_TC_HEAD(isc_safe_memwipe, tc) {
atf_tc_set_md_var(tc, "descr", "isc_safe_memwipe()");
@@ -67,7 +49,6 @@ ATF_TC_BODY(isc_safe_memwipe, tc) {
/* test isc_safe_memwipe() */
static void
isc_safe_memwipe_test(void **state) {
@@ -69,7 +53,6 @@ isc_safe_memwipe_test(void **state) {
/* These should pass. */
isc_safe_memwipe(NULL, 0);
isc_safe_memwipe((void *) -1, 0);
@ -275,14 +275,14 @@ index f721cd1096..ea3e61f98d 100644
/*
* isc_safe_memwipe(ptr, size) should function same as
@@ -106,7 +87,6 @@ ATF_TC_BODY(isc_safe_memwipe, tc) {
*/
ATF_TP_ADD_TCS(tp) {
ATF_TP_ADD_TC(tp, isc_safe_memequal);
- ATF_TP_ADD_TC(tp, isc_safe_memcompare);
ATF_TP_ADD_TC(tp, isc_safe_memwipe);
return (atf_no_error());
}
--
2.14.4
@@ -108,7 +91,6 @@ main(void) {
const struct CMUnitTest tests[] = {
cmocka_unit_test(isc_safe_memequal_test),
cmocka_unit_test(isc_safe_memwipe_test),
- cmocka_unit_test(isc_safe_memcompare_test),
};
return (cmocka_run_group_tests(tests, NULL, NULL));
--
2.20.1

37
SOURCES/bind-9.11-rh1668682.patch Normal file
View File

@ -0,0 +1,37 @@
From 16c1bd61384e993fef13d7be88fdd34551a2b3ce Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
Date: Wed, 23 Jan 2019 20:12:51 +0100
Subject: [PATCH] Use custom random generator only for bind build
Do not test random entropy on startup when used by DHCP. On most cases
random entropy is not even used by DHCP. In cases it is (LDAP SSL), fail
whenever it is not available.
Resolves: rhbz#1668682
---
lib/dns/openssl_link.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/lib/dns/openssl_link.c b/lib/dns/openssl_link.c
index 91e87d0..2551b0a 100644
--- a/lib/dns/openssl_link.c
+++ b/lib/dns/openssl_link.c
@@ -289,6 +289,7 @@ dst__openssl_init(const char *engine) {
#endif
#endif /* !defined(OPENSSL_NO_ENGINE) */
+#ifdef ISC_PLATFORM_USETHREADS
/* Protect ourselves against unseeded PRNG */
if (RAND_status() != 1) {
FATAL_ERROR(__FILE__, __LINE__,
@@ -296,6 +297,7 @@ dst__openssl_init(const char *engine) {
"cannot be initialized (see the `PRNG not "
"seeded' message in the OpenSSL FAQ)");
}
+#endif /* ISC_PLATFORM_USETHREADS */
return (ISC_R_SUCCESS);
--
2.20.1

591
SOURCES/bind-9.11-rt31459.patch
View File

File diff suppressed because it is too large Load Diff

91
SOURCES/bind-9.11-rt46047-2.patch
View File

@ -1,91 +0,0 @@
From c79ff443ba029eaf7da8781aef0b1ddbed467781 Mon Sep 17 00:00:00 2001
From: Petr Mensik <pemensik@redhat.com>
Date: Fri, 14 Jun 2019 12:30:01 +0200
Subject: [PATCH] Fix OpenSSL random generator warnings Squashed commit of the
following:
commit 70492c6361e55309dae0e48ae031e295f0a46a5e
Author: Evan Hunt <each@isc.org>
Date: Sat Sep 16 21:01:06 2017 -0700
[master] silence compiler warning
(cherry picked from commit 6e5ae91479408540f04337c9dc27c3f3fffae6c7)
commit 4d8c2767b584d993eb898d2210c85ffce214d1dc
Author: Mark Andrews <marka@isc.org>
Date: Fri Dec 22 08:48:38 2017 +1100
add POST(argc);
(cherry picked from commit be5a0eaa7adafc454658e09672d865eb453baeab)
(cherry picked from commit 0163c3b8130cbed705c3267948ab49eebe26286d)
commit c64b5b10a3a175482b89eddbe63d8b5107a2fbf3
Author: Petr Mensik <pemensik@redhat.com>
Date: Thu Jun 13 22:23:14 2019 +0200
fixup! completed and corrected the crypto-random change
---
bin/named/server.c | 3 +++
bin/tests/system/tkey/keydelete.c | 1 +
lib/dns/tests/dstrandom_test.c | 3 +--
3 files changed, 5 insertions(+), 2 deletions(-)
diff --git a/bin/named/server.c b/bin/named/server.c
index db0270900f..1afb461226 100644
--- a/bin/named/server.c
+++ b/bin/named/server.c
@@ -8100,6 +8100,8 @@ load_configuration(const char *filename, ns_server_t *server,
}
#endif
} else {
+ result = isc_entropy_createfilesource(ns_g_entropy,
+ randomdev);
#ifdef PATH_RANDOMDEV
if (ns_g_fallbackentropy != NULL) {
level = ISC_LOG_INFO;
@@ -8893,6 +8895,7 @@ ns_server_create(isc_mem_t *mctx, ns_server_t **serverp) {
server->in_roothints = NULL;
server->blackholeacl = NULL;
server->keepresporder = NULL;
+ server->rngctx = NULL;
/* Must be first. */
CHECKFATAL(dst_lib_init2(ns_g_mctx, ns_g_entropy,
diff --git a/bin/tests/system/tkey/keydelete.c b/bin/tests/system/tkey/keydelete.c
index 3d5ac74486..55ebb66a60 100644
--- a/bin/tests/system/tkey/keydelete.c
+++ b/bin/tests/system/tkey/keydelete.c
@@ -172,6 +172,7 @@ main(int argc, char **argv) {
randomfile = argv[2];
argv += 2;
argc -= 2;
+ POST(argc);
}
keyname = argv[1];
diff --git a/lib/dns/tests/dstrandom_test.c b/lib/dns/tests/dstrandom_test.c
index d2c72e7685..56738d14a4 100644
--- a/lib/dns/tests/dstrandom_test.c
+++ b/lib/dns/tests/dstrandom_test.c
@@ -14,8 +14,6 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id$ */
-
/*! \file */
#include <config.h>
@@ -24,6 +22,7 @@
#include <stdio.h>
#include <string.h>
+#include <unistd.h>
#include <isc/entropy.h>
#include <isc/mem.h>
--
2.20.1

267
SOURCES/bind-9.11-rt46047.patch
View File

@ -1,4 +1,4 @@
From dc861636b6bcb4a028b2392347a57a61bb5ece6e Mon Sep 17 00:00:00 2001
From 5a465424f5249ceaf0547ab90361a16eb08f7a2b Mon Sep 17 00:00:00 2001
From: Evan Hunt <each@isc.org>
Date: Thu, 28 Sep 2017 10:09:22 -0700
Subject: [PATCH] completed and corrected the crypto-random change
@ -33,23 +33,25 @@ Subject: [PATCH] completed and corrected the crypto-random change
bin/named/include/named/server.h | 2 +
bin/named/interfacemgr.c | 1 +
bin/named/query.c | 1 +
bin/named/server.c | 52 +++++++++++++---------
bin/named/server.c | 52 ++++++++++++++--------
bin/nsupdate/nsupdate.c | 4 +-
bin/tests/system/pipelined/pipequeries.c | 4 +-
bin/tests/system/tkey/keycreate.c | 4 +-
bin/tests/system/tkey/keydelete.c | 4 +-
bin/tests/system/tkey/keydelete.c | 5 +--
doc/arm/Bv9ARM-book.xml | 55 +++++++++++++++++-------
doc/arm/notes.xml | 23 +++++++++-
lib/dns/dst_api.c | 7 ++-
doc/arm/notes-rh-changes.xml | 43 ++++++++++++++++++
doc/arm/notes.xml | 1 +
lib/dns/dst_api.c | 4 +-
lib/dns/include/dst/dst.h | 14 +++++-
lib/dns/openssl_link.c | 3 +-
lib/isc/include/isc/entropy.h | 50 +++++++++++++++------
lib/isc/include/isc/random.h | 28 +++++++-----
lib/isccfg/namedconf.c | 2 +-
22 files changed, 218 insertions(+), 110 deletions(-)
23 files changed, 241 insertions(+), 106 deletions(-)
create mode 100644 doc/arm/notes-rh-changes.xml
diff --git a/bin/confgen/keygen.c b/bin/confgen/keygen.c
index fa439cc..a7ad417 100644
index 295e16f..0f79aa8 100644
--- a/bin/confgen/keygen.c
+++ b/bin/confgen/keygen.c
@@ -161,17 +161,15 @@ generate_key(isc_mem_t *mctx, const char *randomfile, dns_secalg_t alg,
@ -65,7 +67,7 @@ index fa439cc..a7ad417 100644
- strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) {
- randomfile = NULL;
+ if (randomfile == NULL) {
isc_entropy_usehook(ectx, ISC_TRUE);
isc_entropy_usehook(ectx, true);
}
#endif
+ if (randomfile != NULL && strcmp(randomfile, "keyboard") == 0) {
@ -76,10 +78,10 @@ index fa439cc..a7ad417 100644
&entropy_source,
randomfile,
diff --git a/bin/dnssec/dnssec-keygen.docbook b/bin/dnssec/dnssec-keygen.docbook
index 96dfef6..1c84b06 100644
index 0ae6b41..4562430 100644
--- a/bin/dnssec/dnssec-keygen.docbook
+++ b/bin/dnssec/dnssec-keygen.docbook
@@ -349,15 +349,23 @@
@@ -348,15 +348,23 @@
<term>-r <replaceable class="parameter">randomdev</replaceable></term>
<listitem>
<para>
@ -112,16 +114,16 @@ index 96dfef6..1c84b06 100644
</listitem>
</varlistentry>
diff --git a/bin/dnssec/dnssectool.c b/bin/dnssec/dnssectool.c
index 4ea9eaf..5dd9475 100644
index 31a99e7..38c83ed 100644
--- a/bin/dnssec/dnssectool.c
+++ b/bin/dnssec/dnssectool.c
@@ -239,18 +239,16 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) {
@@ -241,18 +241,16 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) {
ISC_LIST_INIT(sources);
}
+#ifdef ISC_PLATFORM_CRYPTORANDOM
+ if (randomfile == NULL) {
+ isc_entropy_usehook(*ectx, ISC_TRUE);
+ isc_entropy_usehook(*ectx, true);
+ }
+#endif
if (randomfile != NULL && strcmp(randomfile, "keyboard") == 0) {
@ -133,17 +135,17 @@ index 4ea9eaf..5dd9475 100644
- if (randomfile != NULL &&
- strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) {
- randomfile = NULL;
- isc_entropy_usehook(*ectx, ISC_TRUE);
- isc_entropy_usehook(*ectx, true);
- }
-#endif
result = isc_entropy_usebestsource(*ectx, &source, randomfile,
usekeyboard);
diff --git a/bin/named/client.c b/bin/named/client.c
index b7d8a98..56d475c 100644
index 50fa2cd..524d9a3 100644
--- a/bin/named/client.c
+++ b/bin/named/client.c
@@ -1605,7 +1605,8 @@ ns_client_addopt(ns_client_t *client, dns_message_t *message,
@@ -1762,7 +1762,8 @@ ns_client_addopt(ns_client_t *client, dns_message_t *message,
isc_buffer_init(&buf, cookie, sizeof(cookie));
isc_stdtime_get(&now);
@ -154,10 +156,10 @@ index b7d8a98..56d475c 100644
compute_cookie(client, now, nonce, ns_g_server->secret, &buf);
diff --git a/bin/named/config.c b/bin/named/config.c
index c50f759..c1e72ef 100644
index dbdff64..63da4b0 100644
--- a/bin/named/config.c
+++ b/bin/named/config.c
@@ -92,7 +92,9 @@ options {\n\
@@ -98,7 +98,9 @@ options {\n\
# pid-file \"" NS_LOCALSTATEDIR "/run/named/named.pid\"; /* or /lwresd.pid */\n\
port 53;\n\
prefetch 2 9;\n"
@ -169,10 +171,10 @@ index c50f759..c1e72ef 100644
#endif
" recursing-file \"named.recursing\";\n\
diff --git a/bin/named/controlconf.c b/bin/named/controlconf.c
index 237e8dc..b905475 100644
index d955c2f..40621f2 100644
--- a/bin/named/controlconf.c
+++ b/bin/named/controlconf.c
@@ -322,9 +322,10 @@ log_invalid(isccc_ccmsg_t *ccmsg, isc_result_t result) {
@@ -325,9 +325,10 @@ log_invalid(isccc_ccmsg_t *ccmsg, isc_result_t result) {
static void
control_recvmessage(isc_task_t *task, isc_event_t *event) {
@ -185,8 +187,8 @@ index 237e8dc..b905475 100644
+ controlkey_t *key = NULL;
isccc_sexpr_t *request = NULL;
isccc_sexpr_t *response = NULL;
isc_uint32_t algorithm;
@@ -335,16 +336,17 @@ control_recvmessage(isc_task_t *task, isc_event_t *event) {
uint32_t algorithm;
@@ -338,16 +339,17 @@ control_recvmessage(isc_task_t *task, isc_event_t *event) {
isc_buffer_t *text;
isc_result_t result;
isc_result_t eresult;
@ -194,7 +196,7 @@ index 237e8dc..b905475 100644
+ isccc_sexpr_t *_ctrl = NULL;
isccc_time_t sent;
isccc_time_t exp;
isc_uint32_t nonce;
uint32_t nonce;
- isccc_sexpr_t *data;
+ isccc_sexpr_t *data = NULL;
@ -206,25 +208,25 @@ index 237e8dc..b905475 100644
algorithm = DST_ALG_UNKNOWN;
secret.rstart = NULL;
text = NULL;
@@ -455,8 +457,11 @@ control_recvmessage(isc_task_t *task, isc_event_t *event) {
@@ -458,8 +460,11 @@ control_recvmessage(isc_task_t *task, isc_event_t *event) {
* Establish nonce.
*/
if (conn->nonce == 0) {
- while (conn->nonce == 0)
- isc_random_get(&conn->nonce);
+ while (conn->nonce == 0) {
+ isc_uint16_t r1 = isc_rng_random(server->rngctx);
+ isc_uint16_t r2 = isc_rng_random(server->rngctx);
+ uint16_t r1 = isc_rng_random(server->rngctx);
+ uint16_t r2 = isc_rng_random(server->rngctx);
+ conn->nonce = (r1 << 16) | r2;
+ }
eresult = ISC_R_SUCCESS;
} else
eresult = ns_control_docommand(request, listener->readonly, &text);
diff --git a/bin/named/include/named/server.h b/bin/named/include/named/server.h
index d8179a6..e03d24d 100644
index 7ee8f66..8982d26 100644
--- a/bin/named/include/named/server.h
+++ b/bin/named/include/named/server.h
@@ -17,6 +17,7 @@
@@ -20,6 +20,7 @@
#include <isc/log.h>
#include <isc/magic.h>
#include <isc/quota.h>
@ -232,19 +234,19 @@ index d8179a6..e03d24d 100644
#include <isc/sockaddr.h>
#include <isc/types.h>
#include <isc/xml.h>
@@ -131,6 +132,7 @@ struct ns_server {
@@ -134,6 +135,7 @@ struct ns_server {
char * lockfile;
isc_uint16_t transfer_tcp_message_size;
uint16_t transfer_tcp_message_size;
+ isc_rng_t * rngctx;
};
struct ns_altsecret {
diff --git a/bin/named/interfacemgr.c b/bin/named/interfacemgr.c
index d8c7188..50f924e 100644
index 9dea7c1..272d300 100644
--- a/bin/named/interfacemgr.c
+++ b/bin/named/interfacemgr.c
@@ -15,6 +15,7 @@
@@ -17,6 +17,7 @@
#include <isc/interfaceiter.h>
#include <isc/os.h>
@ -253,10 +255,10 @@ index d8c7188..50f924e 100644
#include <isc/task.h>
#include <isc/util.h>
diff --git a/bin/named/query.c b/bin/named/query.c
index accbf3b..d89622d 100644
index c9e5469..0940714 100644
--- a/bin/named/query.c
+++ b/bin/named/query.c
@@ -18,6 +18,7 @@
@@ -19,6 +19,7 @@
#include <isc/hex.h>
#include <isc/mem.h>
#include <isc/print.h>
@ -265,10 +267,10 @@ index accbf3b..d89622d 100644
#include <isc/serial.h>
#include <isc/stats.h>
diff --git a/bin/named/server.c b/bin/named/server.c
index ca789e5..db02709 100644
index 36fc047..3c1eec0 100644
--- a/bin/named/server.c
+++ b/bin/named/server.c
@@ -8076,21 +8076,30 @@ load_configuration(const char *filename, ns_server_t *server,
@@ -8208,21 +8208,32 @@ load_configuration(const char *filename, ns_server_t *server,
* Open the source of entropy.
*/
if (first_time) {
@ -277,11 +279,6 @@ index ca789e5..db02709 100644
obj = NULL;
result = ns_config_get(maps, "random-device", &obj);
- if (result != ISC_R_SUCCESS) {
- isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
- NS_LOGMODULE_SERVER, ISC_LOG_INFO,
- "no source of entropy found");
- } else {
- const char *randomdev = cfg_obj_asstring(obj);
+ if (result == ISC_R_SUCCESS) {
+ if (!cfg_obj_isvoid(obj)) {
+ level = ISC_LOG_INFO;
@ -289,28 +286,33 @@ index ca789e5..db02709 100644
+ }
+ }
+ if (randomdev == NULL) {
#ifdef ISC_PLATFORM_CRYPTORANDOM
- if (strcmp(randomdev, ISC_PLATFORM_CRYPTORANDOM) == 0)
- isc_entropy_usehook(ns_g_entropy, ISC_TRUE);
+ isc_entropy_usehook(ns_g_entropy, ISC_TRUE);
#else
- int level = ISC_LOG_ERROR;
- result = isc_entropy_createfilesource(ns_g_entropy,
- randomdev);
+#ifdef ISC_PLATFORM_CRYPTORANDOM
+ isc_entropy_usehook(ns_g_entropy, true);
+#else
+ if ((obj != NULL) && !cfg_obj_isvoid(obj))
+ level = ISC_LOG_INFO;
+ isc_log_write(named_g_lctx, NS_LOGCATEGORY_GENERAL,
isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
- NS_LOGMODULE_SERVER, ISC_LOG_INFO,
+ NS_LOGMODULE_SERVER, level,
+ "no source of entropy found");
"no source of entropy found");
+ if ((obj == NULL) || cfg_obj_isvoid(obj)) {
+ CHECK(ISC_R_FAILURE);
+ }
+#endif
+ } else {
} else {
- const char *randomdev = cfg_obj_asstring(obj);
-#ifdef ISC_PLATFORM_CRYPTORANDOM
- if (strcmp(randomdev, ISC_PLATFORM_CRYPTORANDOM) == 0)
- isc_entropy_usehook(ns_g_entropy, true);
-#else
- int level = ISC_LOG_ERROR;
result = isc_entropy_createfilesource(ns_g_entropy,
- randomdev);
+ randomdev);
#ifdef PATH_RANDOMDEV
if (ns_g_fallbackentropy != NULL) {
level = ISC_LOG_INFO;
@@ -8101,8 +8110,8 @@ load_configuration(const char *filename, ns_server_t *server,
@@ -8233,8 +8244,8 @@ load_configuration(const char *filename, ns_server_t *server,
NS_LOGCATEGORY_GENERAL,
NS_LOGMODULE_SERVER,
level,
@ -321,24 +323,33 @@ index ca789e5..db02709 100644
randomdev,
isc_result_totext(result));
}
@@ -8122,7 +8131,6 @@ load_configuration(const char *filename, ns_server_t *server,
@@ -8254,7 +8265,6 @@ load_configuration(const char *filename, ns_server_t *server,
}
isc_entropy_detach(&ns_g_fallbackentropy);
}
-#endif
#endif
}
}
@@ -8911,6 +8919,8 @@ ns_server_create(isc_mem_t *mctx, ns_server_t **serverp) {
@@ -9022,6 +9032,7 @@ ns_server_create(isc_mem_t *mctx, ns_server_t **serverp) {
server->in_roothints = NULL;
server->blackholeacl = NULL;
server->keepresporder = NULL;
+ server->rngctx = NULL;
/* Must be first. */
CHECKFATAL(dst_lib_init2(ns_g_mctx, ns_g_entropy,
@@ -9048,6 +9059,9 @@ ns_server_create(isc_mem_t *mctx, ns_server_t **serverp) {
CHECKFATAL(dns_tkeyctx_create(ns_g_mctx, ns_g_entropy,
&server->tkeyctx),
"creating TKEY context");
+ server->rngctx = NULL;
+ CHECKFATAL(isc_rng_create(ns_g_mctx, ns_g_entropy, &server->rngctx),
+ "creating random numbers context");
/*
* Setup the server task, which is responsible for coordinating
@@ -9117,7 +9127,8 @@ ns_server_destroy(ns_server_t **serverp) {
@@ -9254,7 +9268,8 @@ ns_server_destroy(ns_server_t **serverp) {
if (server->zonemgr != NULL)
dns_zonemgr_detach(&server->zonemgr);
@ -348,7 +359,7 @@ index ca789e5..db02709 100644
if (server->tkeyctx != NULL)
dns_tkeyctx_destroy(&server->tkeyctx);
@@ -13018,10 +13029,10 @@ newzone_cfgctx_destroy(void **cfgp) {
@@ -13230,10 +13245,10 @@ newzone_cfgctx_destroy(void **cfgp) {
static isc_result_t
generate_salt(unsigned char *salt, size_t saltlen) {
@ -356,19 +367,19 @@ index ca789e5..db02709 100644
+ size_t i, n;
union {
unsigned char rnd[256];
- isc_uint32_t rnd32[64];
+ isc_uint16_t rnd16[128];
- uint32_t rnd32[64];
+ uint16_t rnd16[128];
} rnd;
unsigned char text[512 + 1];
isc_region_t r;
@@ -13031,9 +13042,10 @@ generate_salt(unsigned char *salt, size_t saltlen) {
@@ -13243,9 +13258,10 @@ generate_salt(unsigned char *salt, size_t saltlen) {
if (saltlen > 256U)
return (ISC_R_RANGE);
- n = (int) (saltlen + sizeof(isc_uint32_t) - 1) / sizeof(isc_uint32_t);
- n = (int) (saltlen + sizeof(uint32_t) - 1) / sizeof(uint32_t);
- for (i = 0; i < n; i++)
- isc_random_get(&rnd.rnd32[i]);
+ n = (saltlen + sizeof(isc_uint16_t) - 1) / sizeof(isc_uint16_t);
+ n = (saltlen + sizeof(uint16_t) - 1) / sizeof(uint16_t);
+ for (i = 0; i < n; i++) {
+ rnd.rnd16[i] = isc_rng_random(ns_g_server->rngctx);
+ }
@ -376,10 +387,10 @@ index ca789e5..db02709 100644
memmove(salt, rnd.rnd, saltlen);
diff --git a/bin/nsupdate/nsupdate.c b/bin/nsupdate/nsupdate.c
index 46c7acf..a0d0278 100644
index 0286987..0376377 100644
--- a/bin/nsupdate/nsupdate.c
+++ b/bin/nsupdate/nsupdate.c
@@ -281,9 +281,7 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) {
@@ -283,9 +283,7 @@ setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) {
}
#ifdef ISC_PLATFORM_CRYPTORANDOM
@ -387,14 +398,14 @@ index 46c7acf..a0d0278 100644
- strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) {
- randomfile = NULL;
+ if (randomfile == NULL) {
isc_entropy_usehook(*ectx, ISC_TRUE);
isc_entropy_usehook(*ectx, true);
}
#endif
diff --git a/bin/tests/system/pipelined/pipequeries.c b/bin/tests/system/pipelined/pipequeries.c
index 810d99e..d7d10e2 100644
index f0a6ff2..55064f6 100644
--- a/bin/tests/system/pipelined/pipequeries.c
+++ b/bin/tests/system/pipelined/pipequeries.c
@@ -279,9 +279,7 @@ main(int argc, char *argv[]) {
@@ -280,9 +280,7 @@ main(int argc, char *argv[]) {
ectx = NULL;
RUNCHECK(isc_entropy_create(mctx, &ectx));
#ifdef ISC_PLATFORM_CRYPTORANDOM
@ -402,11 +413,11 @@ index 810d99e..d7d10e2 100644
- strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) {
- randomfile = NULL;
+ if (randomfile == NULL) {
isc_entropy_usehook(ectx, ISC_TRUE);
isc_entropy_usehook(ectx, true);
}
#endif
diff --git a/bin/tests/system/tkey/keycreate.c b/bin/tests/system/tkey/keycreate.c
index 4f2f5b4..0894db7 100644
index fe8698e..937fcc3 100644
--- a/bin/tests/system/tkey/keycreate.c
+++ b/bin/tests/system/tkey/keycreate.c
@@ -255,9 +255,7 @@ main(int argc, char *argv[]) {
@ -417,14 +428,22 @@ index 4f2f5b4..0894db7 100644
- strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) {
- randomfile = NULL;
+ if (randomfile == NULL) {
isc_entropy_usehook(ectx, ISC_TRUE);
isc_entropy_usehook(ectx, true);
}
#endif
diff --git a/bin/tests/system/tkey/keydelete.c b/bin/tests/system/tkey/keydelete.c
index 0975bbe..5b8a470 100644
index 2146f9b..64b8e74 100644
--- a/bin/tests/system/tkey/keydelete.c
+++ b/bin/tests/system/tkey/keydelete.c
@@ -182,9 +182,7 @@ main(int argc, char **argv) {
@@ -171,6 +171,7 @@ main(int argc, char **argv) {
randomfile = argv[2];
argv += 2;
argc -= 2;
+ POST(argc);
}
keyname = argv[1];
@@ -182,9 +183,7 @@ main(int argc, char **argv) {
ectx = NULL;
RUNCHECK(isc_entropy_create(mctx, &ectx));
#ifdef ISC_PLATFORM_CRYPTORANDOM
@ -432,14 +451,14 @@ index 0975bbe..5b8a470 100644
- strcmp(randomfile, ISC_PLATFORM_CRYPTORANDOM) == 0) {
- randomfile = NULL;
+ if (randomfile == NULL) {
isc_entropy_usehook(ectx, ISC_TRUE);
isc_entropy_usehook(ectx, true);
}
#endif
diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
index a5d9e2e..2a96f71 100644
index 33e06e6..539973c 100644
--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@@ -5070,22 +5070,45 @@ badresp:1,adberr:0,findfail:0,valfail:0]
@@ -5076,22 +5076,45 @@ badresp:1,adberr:0,findfail:0,valfail:0]
<term><command>random-device</command></term>
<listitem>
<para>
@ -501,15 +520,28 @@ index a5d9e2e..2a96f71 100644
</para>
</listitem>
</varlistentry>
diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml
index d3fdb5e..fbc78a0 100644
--- a/doc/arm/notes.xml
+++ b/doc/arm/notes.xml
@@ -115,7 +115,28 @@
<itemizedlist>
<listitem>
<para>
- None.
diff --git a/doc/arm/notes-rh-changes.xml b/doc/arm/notes-rh-changes.xml
new file mode 100644
index 0000000..11c3a7c
--- /dev/null
+++ b/doc/arm/notes-rh-changes.xml
@@ -0,0 +1,43 @@
+
+<!--
+ - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ -
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ -
+ - See the COPYRIGHT file distributed with this work for additional
+ - information regarding copyright ownership.
+-->
+
+<section xml:id="relnotes_rh_changes"><info><title>Red Hat Specific Changes</title></info>
+ <itemizedlist>
+ <listitem>
+ <para>
+ By default, BIND now uses the random number generation functions
+ in the cryptographic library (i.e., OpenSSL or a PKCS#11
+ provider) as a source of high-quality randomness rather than
@ -532,25 +564,28 @@ index d3fdb5e..fbc78a0 100644
+ <command>configure --disable-crypto-rand</command>, in which
+ case <filename>/dev/random</filename> will be the default
+ entropy source. [RT #31459] [RT #46047]
</para>
</listitem>
</itemizedlist>
+ </para>
+ </listitem>
+ </itemizedlist>
+</section>
+
diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml
index b16dab6..763ff7e 100644
--- a/doc/arm/notes.xml
+++ b/doc/arm/notes.xml
@@ -36,6 +36,7 @@
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="notes-9.11.1.xml"/>
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="notes-9.11.0.xml"/>
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="notes-rh-changes.xml"/>
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="notes-eol.xml"/>
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="notes-thankyou.xml"/>
</section>
diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c
index 803e7b3..29a4fef 100644
index 1614afa..0f52df9 100644
--- a/lib/dns/dst_api.c
+++ b/lib/dns/dst_api.c
@@ -276,8 +276,9 @@ dst_lib_init2(isc_mem_t *mctx, isc_entropy_t *ectx,
#endif
#if defined(OPENSSL) || defined(PKCS11CRYPTO)
#ifdef ISC_PLATFORM_CRYPTORANDOM
- if (dst_entropy_pool != NULL)
+ if (dst_entropy_pool != NULL) {
isc_entropy_sethook(dst_random_getdata);
+ }
#endif
#endif /* defined(OPENSSL) || defined(PKCS11CRYPTO) */
dst_initialized = ISC_TRUE;
@@ -2015,10 +2016,12 @@ dst__entropy_getdata(void *buf, unsigned int len, isc_boolean_t pseudo) {
@@ -2017,10 +2017,12 @@ dst__entropy_getdata(void *buf, unsigned int len, bool pseudo) {
else
flags |= ISC_ENTROPY_BLOCKING;
#ifdef ISC_PLATFORM_CRYPTORANDOM
@ -565,10 +600,10 @@ index 803e7b3..29a4fef 100644
}
diff --git a/lib/dns/include/dst/dst.h b/lib/dns/include/dst/dst.h
index d9b6ab6..e8c1a3c 100644
index 6813c96..665574d 100644
--- a/lib/dns/include/dst/dst.h
+++ b/lib/dns/include/dst/dst.h
@@ -161,8 +161,18 @@ isc_result_t
@@ -163,8 +163,18 @@ isc_result_t
dst_random_getdata(void *data, unsigned int length,
unsigned int *returned, unsigned int flags);
/*%<
@ -588,12 +623,12 @@ index d9b6ab6..e8c1a3c 100644
+ * \li DST_R_OPENSSLFAILURE, DST_R_CRYPTOFAILURE, or other codes on error
*/
isc_boolean_t
bool
diff --git a/lib/dns/openssl_link.c b/lib/dns/openssl_link.c
index c1e1bde..91e87d0 100644
index 6849732..e00a0e4 100644
--- a/lib/dns/openssl_link.c
+++ b/lib/dns/openssl_link.c
@@ -482,7 +482,8 @@ dst__openssl_getengine(const char *engine) {
@@ -484,7 +484,8 @@ dst__openssl_getengine(const char *engine) {
isc_result_t
dst_random_getdata(void *data, unsigned int length,
@ -604,7 +639,7 @@ index c1e1bde..91e87d0 100644
#ifndef DONT_REQUIRE_DST_LIB_INIT
INSIST(dst__memory_pool != NULL);
diff --git a/lib/isc/include/isc/entropy.h b/lib/isc/include/isc/entropy.h
index d9deb8a..2d37363 100644
index 632166a..c7cb17d 100644
--- a/lib/isc/include/isc/entropy.h
+++ b/lib/isc/include/isc/entropy.h
@@ -9,8 +9,6 @@
@ -616,7 +651,7 @@ index d9deb8a..2d37363 100644
#ifndef ISC_ENTROPY_H
#define ISC_ENTROPY_H 1
@@ -190,9 +188,8 @@ isc_entropy_createcallbacksource(isc_entropy_t *ent,
@@ -191,9 +189,8 @@ isc_entropy_createcallbacksource(isc_entropy_t *ent,
/*!<
* \brief Create an entropy source that is polled via a callback.
*
@ -628,7 +663,7 @@ index d9deb8a..2d37363 100644
*
* Samples are added via isc_entropy_addcallbacksample(), below.
* _addcallbacksample() is the only function which may be called from
@@ -233,15 +230,32 @@ isc_result_t
@@ -234,15 +231,32 @@ isc_result_t
isc_entropy_getdata(isc_entropy_t *ent, void *data, unsigned int length,
unsigned int *returned, unsigned int flags);
/*!<
@ -668,9 +703,9 @@ index d9deb8a..2d37363 100644
*/
void
@@ -306,13 +320,21 @@ isc_entropy_usebestsource(isc_entropy_t *ectx, isc_entropysource_t **source,
@@ -307,13 +321,21 @@ isc_entropy_usebestsource(isc_entropy_t *ectx, isc_entropysource_t **source,
void
isc_entropy_usehook(isc_entropy_t *ectx, isc_boolean_t onoff);
isc_entropy_usehook(isc_entropy_t *ectx, bool onoff);
/*!<
- * \brief Mark/unmark the given entropy structure as being hooked.
+ * \brief Configure entropy context 'ectx' to use the hook function
@ -693,7 +728,7 @@ index d9deb8a..2d37363 100644
ISC_LANG_ENDDECLS
diff --git a/lib/isc/include/isc/random.h b/lib/isc/include/isc/random.h
index ba53ebf..b575728 100644
index f8aed34..17c551b 100644
--- a/lib/isc/include/isc/random.h
+++ b/lib/isc/include/isc/random.h
@@ -9,8 +9,6 @@
@ -736,8 +771,8 @@ index ba53ebf..b575728 100644
ISC_LANG_BEGINDECLS
@@ -115,8 +123,8 @@ isc_rng_random(isc_rng_t *rngctx);
isc_uint16_t
isc_rng_uniformrandom(isc_rng_t *rngctx, isc_uint16_t upper_bound);
uint16_t
isc_rng_uniformrandom(isc_rng_t *rngctx, uint16_t upper_bound);
/*%<
- * Returns a uniformly distributed pseudo random 16-bit unsigned
- * integer.
@ -747,10 +782,10 @@ index ba53ebf..b575728 100644
ISC_LANG_ENDDECLS
diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c
index 8d496ff..dd08187 100644
index 03890a3..7bad989 100644
--- a/lib/isccfg/namedconf.c
+++ b/lib/isccfg/namedconf.c
@@ -1106,7 +1106,7 @@ options_clauses[] = {
@@ -1109,7 +1109,7 @@ options_clauses[] = {
{ "pid-file", &cfg_type_qstringornone, 0 },
{ "port", &cfg_type_uint32, 0 },
{ "querylog", &cfg_type_boolean, 0 },

3858
SOURCES/bind-9.11-serve-stale.patch Normal file
View File

File diff suppressed because it is too large Load Diff

39
SOURCES/bind-9.11-unit-disable-random.patch
View File

@ -1,4 +1,4 @@
From c89b0e288f923af69b97e8acc29250b262be7d1e Mon Sep 17 00:00:00 2001
From 373f07148217a8e70e33446f5108fb42d1079ba6 Mon Sep 17 00:00:00 2001
From: Petr Mensik <pemensik@redhat.com>
Date: Thu, 21 Feb 2019 22:42:27 +0100
Subject: [PATCH] Disable random_test
@ -9,37 +9,22 @@ subtests can occasionally fail, stop it.
It can be used again by defining 'unstable' variable in Kyuafile.
---
lib/isc/tests/Atffile | 3 ++-
lib/isc/tests/Kyuafile | 2 +-
2 files changed, 3 insertions(+), 2 deletions(-)
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/isc/tests/Atffile b/lib/isc/tests/Atffile
index 8681844..74a4a77 100644
--- a/lib/isc/tests/Atffile
+++ b/lib/isc/tests/Atffile
@@ -20,7 +20,8 @@ tp: pool_test
tp: print_test
tp: queue_test
tp: radix_test
-tp: random_test
+# random test fails too often
+#tp: random_test
tp: regex_test
tp: result_test
tp: safe_test
diff --git a/lib/isc/tests/Kyuafile b/lib/isc/tests/Kyuafile
index 1c510c1..a86824a 100644
index 4cd2574..9df2340 100644
--- a/lib/isc/tests/Kyuafile
+++ b/lib/isc/tests/Kyuafile
@@ -19,7 +19,7 @@ atf_test_program{name='pool_test'}
atf_test_program{name='print_test'}
atf_test_program{name='queue_test'}
atf_test_program{name='radix_test'}
-atf_test_program{name='random_test'}
+atf_test_program{name='random_test', required_configs='unstable'}
atf_test_program{name='regex_test'}
atf_test_program{name='result_test'}
atf_test_program{name='safe_test'}
@@ -19,7 +19,7 @@ tap_test_program{name='pool_test'}
tap_test_program{name='print_test'}
tap_test_program{name='queue_test'}
tap_test_program{name='radix_test'}
-tap_test_program{name='random_test'}
+tap_test_program{name='random_test', required_configs='unstable'}
tap_test_program{name='regex_test'}
tap_test_program{name='result_test'}
tap_test_program{name='safe_test'}
--
2.20.1

34
SOURCES/bind-9.11-zone2ldap.patch
View File

@ -1,15 +1,15 @@
From 738d12594972ad816e8cff9821f760aa0682fd08 Mon Sep 17 00:00:00 2001
From 0430b3ac66169eea7a74aaa8bfca50400d3497cf Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
Date: Tue, 18 Dec 2018 16:06:26 +0100
Subject: [PATCH] Make absolute hostname by dns API instead of strings
Duplicate all strings in dc_list. Free allocated memory on each record.
---
bin/sdb_tools/zone2ldap.c | 72 +++++++++++++++++++++++++++++------------------
1 file changed, 45 insertions(+), 27 deletions(-)
bin/sdb_tools/zone2ldap.c | 71 +++++++++++++++++++++++++--------------
1 file changed, 45 insertions(+), 26 deletions(-)
diff --git a/bin/sdb_tools/zone2ldap.c b/bin/sdb_tools/zone2ldap.c
index acf160b..cc482dc 100644
index 76186b5..28df191 100644
--- a/bin/sdb_tools/zone2ldap.c
+++ b/bin/sdb_tools/zone2ldap.c
@@ -87,6 +87,10 @@ int get_attr_list_size (char **tmp);
@ -40,26 +40,26 @@ index acf160b..cc482dc 100644
}
else
{
@@ -451,12 +458,17 @@ generate_ldap (dns_name_t * dnsname, dns_rdata_t * rdata, unsigned int ttl)
@@ -451,12 +458,18 @@ generate_ldap (dns_name_t * dnsname, dns_rdata_t * rdata, unsigned int ttl)
char data[2048];
char **dc_list;
char *dn;
+ size_t argzone_len;
+ isc_boolean_t omit_dot;
+ bool omit_dot;
isc_buffer_t buff;
isc_result_t result;
isc_buffer_init (&buff, name, sizeof (name));
- result = dns_name_totext (dnsname, ISC_TRUE, &buff);
result = dns_name_totext (dnsname, true, &buff);
+ argzone_len = strlen(argzone);
+ /* If argzone is absolute, output absolute name too */
+ omit_dot = ISC_TF(!(argzone_len > 0 && argzone[argzone_len-1] == '.'));
+ omit_dot = (!(argzone_len > 0 && argzone[argzone_len-1] == '.'));
+ result = dns_name_totext (dnsname, omit_dot, &buff);
isc_result_check (result, "dns_name_totext");
name[isc_buffer_usedlength (&buff)] = 0;
@@ -478,6 +490,7 @@ generate_ldap (dns_name_t * dnsname, dns_rdata_t * rdata, unsigned int ttl)
@@ -478,6 +491,7 @@ generate_ldap (dns_name_t * dnsname, dns_rdata_t * rdata, unsigned int ttl)
printf ("Adding %s (%s %s) to run queue list.\n", dn, type, data);
add_to_rr_list (dn, dc_list[len], (char*)type, (char*)data, ttl, DNS_OBJECT);
@ -67,7 +67,7 @@ index acf160b..cc482dc 100644
}
@@ -538,12 +551,9 @@ add_to_rr_list (char *dn, char *name, char *type,
@@ -538,12 +552,9 @@ add_to_rr_list (char *dn, char *name, char *type,
if (tmp->attrs == (LDAPMod **) NULL)
fatal("calloc");
@ -83,7 +83,7 @@ index acf160b..cc482dc 100644
tmp->attrs[0]->mod_op = LDAP_MOD_ADD;
tmp->attrs[0]->mod_type = objectClass;
@@ -559,9 +569,18 @@ add_to_rr_list (char *dn, char *name, char *type,
@@ -559,9 +570,18 @@ add_to_rr_list (char *dn, char *name, char *type,
return;
}
@ -103,7 +103,7 @@ index acf160b..cc482dc 100644
if (tmp->attrs[1]->mod_values == (char **)NULL)
fatal("calloc");
@@ -705,25 +724,16 @@ char **
@@ -705,25 +725,16 @@ char **
hostname_to_dn_list (char *hostname, char *zone, unsigned int flags)
{
char *tmp;
@ -131,7 +131,7 @@ index acf160b..cc482dc 100644
last = strdup(sameZone);
}else
{
@@ -731,8 +741,6 @@ hostname_to_dn_list (char *hostname, char *zone, unsigned int flags)
@@ -731,8 +742,6 @@ hostname_to_dn_list (char *hostname, char *zone, unsigned int flags)
||( strcmp( hostname + (hlen - zlen), zone ) != 0)
)
{
@ -140,7 +140,7 @@ index acf160b..cc482dc 100644
hname=(char*)malloc( hlen + zlen + 1);
if( *zone == '.' )
sprintf(hname, "%s%s", hostname, zone);
@@ -740,8 +748,7 @@ hostname_to_dn_list (char *hostname, char *zone, unsigned int flags)
@@ -740,8 +749,7 @@ hostname_to_dn_list (char *hostname, char *zone, unsigned int flags)
sprintf(hname,"%s",zone);
}else
{
@ -150,7 +150,7 @@ index acf160b..cc482dc 100644
}
last = hname;
}
@@ -754,18 +761,21 @@ hostname_to_dn_list (char *hostname, char *zone, unsigned int flags)
@@ -754,18 +762,21 @@ hostname_to_dn_list (char *hostname, char *zone, unsigned int flags)
for (tmp = strrchr (hname, '.'); tmp != (char *) 0;
tmp = strrchr (hname, '.'))
{
@ -176,7 +176,7 @@ index acf160b..cc482dc 100644
if( ( last != hname ) && (tmp != hname) )
dn_buffer[i++] = hname;
dn_buffer[i++] = last;
@@ -825,6 +835,14 @@ build_dn_from_dc_list (char **dc_list, unsigned int ttl, int flag, char *zone)
@@ -825,6 +836,14 @@ build_dn_from_dc_list (char **dc_list, unsigned int ttl, int flag, char *zone)
return dn;
}
@ -192,5 +192,5 @@ index acf160b..cc482dc 100644
/* Initialize LDAP Conn */
void
--
2.14.5
2.20.1

50
SOURCES/bind-9.3.2b1-fix_sdb_ldap.patch
View File

@ -36,10 +36,10 @@ index 95ab742..6069f09 100644
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} zone2sqlite@EXEEXT@ ${DESTDIR}${sbindir}
${INSTALL_DATA} ${srcdir}/zone2ldap.1 ${DESTDIR}${mandir}/man1/zone2ldap.1
diff --git a/bin/sdb_tools/zone2ldap.c b/bin/sdb_tools/zone2ldap.c
index 23dd873..d56bc56 100644
index aa2c711..76186b5 100644
--- a/bin/sdb_tools/zone2ldap.c
+++ b/bin/sdb_tools/zone2ldap.c
@@ -65,6 +66,9 @@ ldap_info;
@@ -66,6 +66,9 @@ ldap_info;
/* usage Info */
void usage (void);
@ -49,7 +49,7 @@ index 23dd873..d56bc56 100644
/* Add to the ldap dit */
void add_ldap_values (ldap_info * ldinfo);
@@ -81,7 +85,7 @@ char **hostname_to_dn_list (char *hostname, char *zone, unsigned int flags);
@@ -82,7 +85,7 @@ char **hostname_to_dn_list (char *hostname, char *zone, unsigned int flags);
int get_attr_list_size (char **tmp);
/* Get a DN */
@ -58,7 +58,7 @@ index 23dd873..d56bc56 100644
/* Add to RR list */
void add_to_rr_list (char *dn, char *name, char *type, char *data,
@@ -103,11 +107,27 @@ void
@@ -104,11 +107,27 @@ void
init_ldap_conn ();
void usage();
@ -91,7 +91,7 @@ index 23dd873..d56bc56 100644
LDAP *conn;
unsigned int debug = 0;
@@ -131,12 +151,12 @@ main (int argc, char **argv)
@@ -132,12 +151,12 @@ main (int argc, char **argv)
isc_result_t result;
char *basedn;
ldap_info *tmp;
@ -107,7 +107,7 @@ index 23dd873..d56bc56 100644
dns_fixedname_t fixedzone, fixedname;
dns_rdataset_t rdataset;
char **dc_list;
@@ -149,7 +169,7 @@ main (int argc, char **argv)
@@ -150,7 +169,7 @@ main (int argc, char **argv)
extern char *optarg;
extern int optind, opterr, optopt;
int create_base = 0;
@ -116,7 +116,7 @@ index 23dd873..d56bc56 100644
if (argc < 2)
{
@@ -157,7 +177,7 @@ main (int argc, char **argv)
@@ -158,7 +177,7 @@ main (int argc, char **argv)
exit (-1);
}
@ -125,7 +125,7 @@ index 23dd873..d56bc56 100644
{
switch (topt)
{
@@ -180,6 +200,9 @@ main (int argc, char **argv)
@@ -181,6 +200,9 @@ main (int argc, char **argv)
if (bindpw == NULL)
fatal("strdup");
break;
@ -135,7 +135,7 @@ index 23dd873..d56bc56 100644
case 'b':
ldapbase = strdup (optarg);
if (ldapbase == NULL)
@@ -301,27 +324,62 @@ main (int argc, char **argv)
@@ -300,27 +322,62 @@ main (int argc, char **argv)
{
if (debug)
printf ("Creating base zone DN %s\n", argzone);
@ -208,7 +208,7 @@ index 23dd873..d56bc56 100644
}
else
{
@@ -330,8 +388,13 @@ main (int argc, char **argv)
@@ -329,8 +386,13 @@ main (int argc, char **argv)
else
sprintf (fullbasedn, "%s", ctmp);
}
@ -222,7 +222,7 @@ index 23dd873..d56bc56 100644
}
}
@@ -409,14 +472,14 @@ generate_ldap (dns_name_t * dnsname, dns_rdata_t * rdata, unsigned int ttl)
@@ -408,14 +470,14 @@ generate_ldap (dns_name_t * dnsname, dns_rdata_t * rdata, unsigned int ttl)
isc_result_check (result, "dns_rdata_totext");
data[isc_buffer_usedlength (&buff)] = 0;
@ -240,7 +240,7 @@ index 23dd873..d56bc56 100644
}
@@ -456,7 +519,8 @@ add_to_rr_list (char *dn, char *name, char *type,
@@ -455,7 +517,8 @@ add_to_rr_list (char *dn, char *name, char *type,
int attrlist;
char ldap_type_buffer[128];
char charttl[64];
@ -250,7 +250,7 @@ index 23dd873..d56bc56 100644
if ((tmp = locate_by_dn (dn)) == NULL)
{
@@ -483,13 +547,13 @@ add_to_rr_list (char *dn, char *name, char *type,
@@ -482,13 +545,13 @@ add_to_rr_list (char *dn, char *name, char *type,
fatal("malloc");
}
tmp->attrs[0]->mod_op = LDAP_MOD_ADD;
@ -267,7 +267,7 @@ index 23dd873..d56bc56 100644
tmp->attrs[1] = NULL;
tmp->attrcnt = 2;
tmp->next = ldap_info_base;
@@ -498,7 +562,7 @@ add_to_rr_list (char *dn, char *name, char *type,
@@ -497,7 +560,7 @@ add_to_rr_list (char *dn, char *name, char *type,
}
tmp->attrs[1]->mod_op = LDAP_MOD_ADD;
@ -276,7 +276,7 @@ index 23dd873..d56bc56 100644
tmp->attrs[1]->mod_values = (char **) calloc (sizeof (char *), 2);
if (tmp->attrs[1]->mod_values == (char **)NULL)
@@ -527,7 +591,7 @@ add_to_rr_list (char *dn, char *name, char *type,
@@ -526,7 +589,7 @@ add_to_rr_list (char *dn, char *name, char *type,
fatal("strdup");
tmp->attrs[3]->mod_op = LDAP_MOD_ADD;
@ -285,7 +285,7 @@ index 23dd873..d56bc56 100644
tmp->attrs[3]->mod_values = (char **) calloc (sizeof (char *), 2);
if (tmp->attrs[3]->mod_values == (char **)NULL)
@@ -540,14 +604,25 @@ add_to_rr_list (char *dn, char *name, char *type,
@@ -539,14 +602,25 @@ add_to_rr_list (char *dn, char *name, char *type,
if (tmp->attrs[3]->mod_values[0] == NULL)
fatal("strdup");
@ -313,7 +313,7 @@ index 23dd873..d56bc56 100644
tmp->attrs[4]->mod_values[1] = NULL;
tmp->attrs[5] = NULL;
@@ -558,7 +633,7 @@ add_to_rr_list (char *dn, char *name, char *type,
@@ -557,7 +631,7 @@ add_to_rr_list (char *dn, char *name, char *type,
else
{
@ -322,7 +322,7 @@ index 23dd873..d56bc56 100644
{
sprintf (ldap_type_buffer, "%sRecord", type);
if (!strncmp
@@ -632,44 +707,70 @@ char **
@@ -631,44 +705,70 @@ char **
hostname_to_dn_list (char *hostname, char *zone, unsigned int flags)
{
char *tmp;
@ -430,7 +430,7 @@ index 23dd873..d56bc56 100644
dn_buffer[i] = NULL;
return dn_buffer;
@@ -681,24 +782,32 @@ hostname_to_dn_list (char *hostname, char *zone, unsigned int flags)
@@ -680,24 +780,32 @@ hostname_to_dn_list (char *hostname, char *zone, unsigned int flags)
* exception of "@"/SOA. */
char *
@ -459,7 +459,7 @@ index 23dd873..d56bc56 100644
if (flag == WI_SPEC)
{
if (x == (size - 2) && (strncmp (dc_list[x], "@", 1) == 0) && (ttl))
- sprintf (tmp, "relativeDomainName=%s + dNSTTL=%d,", dc_list[x], ttl);
- sprintf (tmp, "relativeDomainName=%s + dNSTTL=%u,", dc_list[x], ttl);
+ sprintf (tmp, "zoneName=%s + relativeDomainName=%s,", zone, dc_list[x]);
else if (x == (size - 2))
- sprintf(tmp, "relativeDomainName=%s,",dc_list[x]);
@ -467,7 +467,7 @@ index 23dd873..d56bc56 100644
else
sprintf(tmp,"dc=%s,", dc_list[x]);
}
@@ -724,6 +833,7 @@ void
@@ -723,6 +831,7 @@ void
init_ldap_conn ()
{
int result;
@ -475,7 +475,7 @@ index 23dd873..d56bc56 100644
conn = ldap_open (ldapsystem, LDAP_PORT);
if (conn == NULL)
{
@@ -733,7 +843,7 @@ init_ldap_conn ()
@@ -732,7 +841,7 @@ init_ldap_conn ()
}
result = ldap_simple_bind_s (conn, binddn, bindpw);
@ -484,7 +484,7 @@ index 23dd873..d56bc56 100644
}
/* Like isc_result_check, only for LDAP */
@@ -750,8 +860,6 @@ ldap_result_check (const char *msg, char *dn, int err)
@@ -749,8 +858,6 @@ ldap_result_check (const char *msg, char *dn, int err)
}
}
@ -493,7 +493,7 @@ index 23dd873..d56bc56 100644
/* For running the ldap_info run queue. */
void
add_ldap_values (ldap_info * ldinfo)
@@ -759,14 +867,14 @@ add_ldap_values (ldap_info * ldinfo)
@@ -758,14 +865,14 @@ add_ldap_values (ldap_info * ldinfo)
int result;
char dnbuffer[1024];
@ -510,7 +510,7 @@ index 23dd873..d56bc56 100644
}
@@ -777,5 +885,5 @@ void
@@ -776,5 +883,5 @@ void
usage ()
{
fprintf (stderr,

37
SOURCES/bind-9.9.1-P2-multlib-conflict.patch
View File

@ -1,8 +1,8 @@
diff --git a/config.h.in b/config.h.in
index e1364dd921..1dc65cfb21 100644
index 4ecaa8f..2f65ccc 100644
--- a/config.h.in
+++ b/config.h.in
@@ -588,7 +588,7 @@ int sigwait(const unsigned int *set, int *sig);
@@ -600,7 +600,7 @@ int sigwait(const unsigned int *set, int *sig);
#undef PREFER_GOSTASN1
/* The size of `void *', as computed by sizeof. */
@ -11,39 +11,8 @@ index e1364dd921..1dc65cfb21 100644
/* Define to 1 if you have the ANSI C header files. */
#undef STDC_HEADERS
diff --git a/configure.in b/configure.in
index 73b1c8ccbb..129fc3f311 100644
--- a/configure.in
+++ b/configure.in
@@ -3523,14 +3523,14 @@ AC_TRY_COMPILE([
#include <sys/socket.h>
#include <netdb.h>
int getnameinfo(const struct sockaddr *, socklen_t, char *,
- socklen_t, char *, socklen_t, unsigned int);],
+ socklen_t, char *, socklen_t, int);],
[ return (0);],
- [AC_MSG_RESULT(socklen_t for buflen; u_int for flags)
+ [AC_MSG_RESULT(socklen_t for buflen; int for flags)
AC_DEFINE(IRS_GETNAMEINFO_SOCKLEN_T, socklen_t,
[Define to the sockaddr length type used by getnameinfo(3).])
AC_DEFINE(IRS_GETNAMEINFO_BUFLEN_T, socklen_t,
[Define to the buffer length type used by getnameinfo(3).])
- AC_DEFINE(IRS_GETNAMEINFO_FLAGS_T, unsigned int,
+ AC_DEFINE(IRS_GETNAMEINFO_FLAGS_T, int,
[Define to the flags type used by getnameinfo(3).])],
[AC_TRY_COMPILE([
#include <sys/types.h>
@@ -3557,7 +3557,7 @@ int getnameinfo(const struct sockaddr *, size_t, char *,
[AC_MSG_RESULT(not match any subspecies; assume standard definition)
AC_DEFINE(IRS_GETNAMEINFO_SOCKLEN_T, socklen_t)
AC_DEFINE(IRS_GETNAMEINFO_BUFLEN_T, socklen_t)
-AC_DEFINE(IRS_GETNAMEINFO_FLAGS_T, int)])])])
+AC_DEFINE(IRS_GETNAMEINFO_FLAGS_T, unsigned int)])])])
#
# ...and same for gai_strerror().
diff --git a/isc-config.sh.in b/isc-config.sh.in
index a8a0a89e88..b5e94ed13e 100644
index a8a0a89..b5e94ed 100644
--- a/isc-config.sh.in
+++ b/isc-config.sh.in
@@ -13,7 +13,18 @@ prefix=@prefix@

12
SOURCES/bind-95-rh452060.patch
View File

@ -1,34 +1,34 @@
diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c
index f657c30..ff9a2d2 100644
index c06c804..e75b8b7 100644
--- a/bin/dig/dighost.c
+++ b/bin/dig/dighost.c
@@ -1694,6 +1694,13 @@ clear_query(dig_query_t *query) {
@@ -1816,6 +1816,13 @@ clear_query(dig_query_t *query) {
if (query->timer != NULL)
isc_timer_detach(&query->timer);
+
+ if (query->waiting_senddone) {
+ debug("send_done not yet called");
+ query->pending_free = ISC_TRUE;
+ query->pending_free = true;
+ return;
+ }
+
lookup = query->lookup;
if (lookup->current_query == query)
@@ -1719,10 +1726,7 @@ clear_query(dig_query_t *query) {
@@ -1841,10 +1848,7 @@ clear_query(dig_query_t *query) {
isc_mempool_put(commctx, query->recvspace);
isc_buffer_invalidate(&query->recvbuf);
isc_buffer_invalidate(&query->lengthbuf);
- if (query->waiting_senddone)
- query->pending_free = ISC_TRUE;
- query->pending_free = true;
- else
- isc_mem_free(mctx, query);
+ isc_mem_free(mctx, query);
}
/*%
@@ -2811,9 +2815,9 @@ send_done(isc_task_t *_task, isc_event_t *event) {
@@ -2895,9 +2899,9 @@ send_done(isc_task_t *_task, isc_event_t *event) {
isc_event_free(&event);
if (query->pending_free)

74
SOURCES/bind93-rh490837.patch
View File

@ -1,13 +1,22 @@
? patch
? lib/isc/lex.c.rh490837
Index: lib/isc/lex.c
===================================================================
RCS file: /var/snap/bind9/lib/isc/lex.c,v
retrieving revision 1.86
diff -p -u -r1.86 lex.c
--- lib/isc/lex.c 17 Sep 2007 09:56:29 -0000 1.86
+++ lib/isc/lex.c 6 Apr 2009 13:24:15 -0000
@@ -425,17 +425,14 @@ isc_lex_gettoken(isc_lex_t *lex, unsigne
diff --git a/lib/isc/include/isc/stdio.h b/lib/isc/include/isc/stdio.h
index 1f44b5a..a3625f9 100644
--- a/lib/isc/include/isc/stdio.h
+++ b/lib/isc/include/isc/stdio.h
@@ -69,6 +69,9 @@ isc_stdio_sync(FILE *f);
* direct counterpart in the stdio library.
*/
+isc_result_t
+isc_stdio_fgetc(FILE *f, int *ret);
+
ISC_LANG_ENDDECLS
#endif /* ISC_STDIO_H */
diff --git a/lib/isc/lex.c b/lib/isc/lex.c
index a8955bc..fc6103b 100644
--- a/lib/isc/lex.c
+++ b/lib/isc/lex.c
@@ -434,17 +434,14 @@ isc_lex_gettoken(isc_lex_t *lex, unsigned int options, isc_token_t *tokenp) {
if (source->is_file) {
stream = source->input;
@ -28,34 +37,14 @@ diff -p -u -r1.86 lex.c
goto done;
}
+
source->at_eof = ISC_TRUE;
source->at_eof = true;
}
} else {
Index: lib/isc/include/isc/stdio.h
===================================================================
RCS file: /var/snap/bind9/lib/isc/include/isc/stdio.h,v
retrieving revision 1.13
diff -p -u -r1.13 stdio.h
--- lib/isc/include/isc/stdio.h 19 Jun 2007 23:47:18 -0000 1.13
+++ lib/isc/include/isc/stdio.h 6 Apr 2009 13:24:15 -0000
@@ -72,6 +72,9 @@ isc_stdio_sync(FILE *f);
* direct counterpart in the stdio library.
*/
+isc_result_t
+isc_stdio_fgetc(FILE *f, int *ret);
+
ISC_LANG_ENDDECLS
#endif /* ISC_STDIO_H */
Index: lib/isc/unix/errno2result.c
===================================================================
RCS file: /var/snap/bind9/lib/isc/unix/errno2result.c,v
retrieving revision 1.17
diff -p -u -r1.17 errno2result.c
--- lib/isc/unix/errno2result.c 19 Jun 2007 23:47:18 -0000 1.17
+++ lib/isc/unix/errno2result.c 6 Apr 2009 13:24:15 -0000
@@ -43,6 +43,7 @@ isc__errno2result(int posixerrno) {
diff --git a/lib/isc/unix/errno2result.c b/lib/isc/unix/errno2result.c
index 2f12bcc..5bfd648 100644
--- a/lib/isc/unix/errno2result.c
+++ b/lib/isc/unix/errno2result.c
@@ -40,6 +40,7 @@ isc___errno2result(int posixerrno, bool dolog,
case EINVAL: /* XXX sometimes this is not for files */
case ENAMETOOLONG:
case EBADF:
@ -63,14 +52,11 @@ diff -p -u -r1.17 errno2result.c
return (ISC_R_INVALIDFILE);
case ENOENT:
return (ISC_R_FILENOTFOUND);
Index: lib/isc/unix/stdio.c
===================================================================
RCS file: /var/snap/bind9/lib/isc/unix/stdio.c,v
retrieving revision 1.8
diff -p -u -r1.8 stdio.c
--- lib/isc/unix/stdio.c 19 Jun 2007 23:47:18 -0000 1.8
+++ lib/isc/unix/stdio.c 6 Apr 2009 13:24:15 -0000
@@ -115,3 +115,22 @@ isc_stdio_sync(FILE *f) {
diff --git a/lib/isc/unix/stdio.c b/lib/isc/unix/stdio.c
index e60fa65..77f0b13 100644
--- a/lib/isc/unix/stdio.c
+++ b/lib/isc/unix/stdio.c
@@ -149,3 +149,22 @@ isc_stdio_sync(FILE *f) {
return (isc__errno2result(errno));
}

14
SOURCES/bind97-rh478718.patch
View File

@ -1,8 +1,8 @@
diff --git a/configure.in b/configure.in
index 896e81c1ce..73b1c8ccbb 100644
--- a/configure.in
+++ b/configure.in
@@ -4275,6 +4275,10 @@ if test "yes" = "$use_atomic"; then
diff --git a/configure.ac b/configure.ac
index 26c509e..c1bfd62 100644
--- a/configure.ac
+++ b/configure.ac
@@ -4152,6 +4152,10 @@ if test "yes" = "$use_atomic"; then
AC_MSG_RESULT($arch)
fi
@ -14,10 +14,10 @@ index 896e81c1ce..73b1c8ccbb 100644
AC_MSG_CHECKING([compiler support for inline assembly code])
diff --git a/lib/isc/include/isc/platform.h.in b/lib/isc/include/isc/platform.h.in
index 2ff522342f..58df86adb3 100644
index c902d46..9c7c342 100644
--- a/lib/isc/include/isc/platform.h.in
+++ b/lib/isc/include/isc/platform.h.in
@@ -289,19 +289,25 @@
@@ -284,19 +284,25 @@
* If the "xaddq" operation (64bit xadd) is available on this architecture,
* ISC_PLATFORM_HAVEXADDQ will be defined.
*/

1
SOURCES/named-chroot.files
View File

@ -16,6 +16,7 @@
/etc/named
/usr/lib64/bind
/usr/lib/bind
/usr/share/GeoIP
/run/named
# Warning: the order is important
# If a directory containing $ROOTDIR is listed here,

2
SOURCES/named-chroot.service
View File

@ -20,7 +20,7 @@ PIDFile=/var/named/chroot/run/named/named.pid
ExecStartPre=/bin/bash -c 'if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -t /var/named/chroot -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi'
ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} -t /var/named/chroot $OPTIONS
ExecReload=/bin/sh -c '/usr/sbin/rndc reload > /dev/null 2>&1 || /bin/kill -HUP $MAINPID'
ExecReload=/bin/sh -c 'if /usr/sbin/rndc null > /dev/null 2>&1; then /usr/sbin/rndc reload; else /bin/kill -HUP $MAINPID; fi'
ExecStop=/bin/sh -c '/usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID'

2
SOURCES/named-pkcs11.service
View File

@ -16,7 +16,7 @@ PIDFile=/run/named/named.pid
ExecStartPre=/bin/bash -c 'if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi'
ExecStart=/usr/sbin/named-pkcs11 -u named -c ${NAMEDCONF} $OPTIONS
ExecReload=/bin/sh -c '/usr/sbin/rndc reload > /dev/null 2>&1 || /bin/kill -HUP $MAINPID'
ExecReload=/bin/sh -c 'if /usr/sbin/rndc null > /dev/null 2>&1; then /usr/sbin/rndc reload; else /bin/kill -HUP $MAINPID; fi'
ExecStop=/bin/sh -c '/usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID'

2
SOURCES/named-sdb-chroot.service
View File

@ -20,7 +20,7 @@ PIDFile=/var/named/chroot_sdb/run/named/named.pid
ExecStartPre=/bin/bash -c 'if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -t /var/named/chroot_sdb -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi'
ExecStart=/usr/sbin/named-sdb -u named -c ${NAMEDCONF} -t /var/named/chroot_sdb $OPTIONS
ExecReload=/bin/sh -c '/usr/sbin/rndc reload > /dev/null 2>&1 || /bin/kill -HUP $MAINPID'
ExecReload=/bin/sh -c 'if /usr/sbin/rndc null > /dev/null 2>&1; then /usr/sbin/rndc reload; else /bin/kill -HUP $MAINPID; fi'
ExecStop=/bin/sh -c '/usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID'

2
SOURCES/named-sdb.service
View File

@ -16,7 +16,7 @@ PIDFile=/run/named/named.pid
ExecStartPre=/bin/bash -c 'if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi'
ExecStart=/usr/sbin/named-sdb -u named -c ${NAMEDCONF} $OPTIONS
ExecReload=/bin/sh -c '/usr/sbin/rndc reload > /dev/null 2>&1 || /bin/kill -HUP $MAINPID'
ExecReload=/bin/sh -c 'if /usr/sbin/rndc null > /dev/null 2>&1; then /usr/sbin/rndc reload; else /bin/kill -HUP $MAINPID; fi'
ExecStop=/bin/sh -c '/usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID'

10
SOURCES/named.empty Normal file
View File

@ -0,0 +1,10 @@
$TTL 3H
@ IN SOA @ rname.invalid. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS @
A 127.0.0.1
AAAA ::1

10
SOURCES/named.localhost Normal file
View File

@ -0,0 +1,10 @@
$TTL 1D
@ IN SOA @ rname.invalid. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS @
A 127.0.0.1
AAAA ::1

11
SOURCES/named.loopback Normal file
View File

@ -0,0 +1,11 @@
$TTL 1D
@ IN SOA @ rname.invalid. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS @
A 127.0.0.1
AAAA ::1
PTR localhost.

45
SOURCES/named.rfc1912.zones Normal file
View File

@ -0,0 +1,45 @@
// named.rfc1912.zones:
//
// Provided by Red Hat caching-nameserver package
//
// ISC BIND named zone configuration for zones recommended by
// RFC 1912 section 4.1 : localhost TLDs and address zones
// and https://tools.ietf.org/html/rfc6303
// (c)2007 R W Franks
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// Note: empty-zones-enable yes; option is default.
// If private ranges should be forwarded, add
// disable-empty-zone "."; into options
//
zone "localhost.localdomain" IN {
type master;
file "named.localhost";
allow-update { none; };
};
zone "localhost" IN {
type master;
file "named.localhost";
allow-update { none; };
};
zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
type master;
file "named.loopback";
allow-update { none; };
};
zone "1.0.0.127.in-addr.arpa" IN {
type master;
file "named.loopback";
allow-update { none; };
};
zone "0.in-addr.arpa" IN {
type master;
file "named.empty";
allow-update { none; };
};

61
SOURCES/named.root Normal file
View File

@ -0,0 +1,61 @@
; <<>> DiG 9.11.3-RedHat-9.11.3-3.fc27 <<>> +bufsize=1200 +norec @a.root-servers.net
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46900
;; flags: qr aa; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 27
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
;; QUESTION SECTION:
;. IN NS
;; ANSWER SECTION:
. 518400 IN NS a.root-servers.net.
. 518400 IN NS b.root-servers.net.
. 518400 IN NS c.root-servers.net.
. 518400 IN NS d.root-servers.net.
. 518400 IN NS e.root-servers.net.
. 518400 IN NS f.root-servers.net.
. 518400 IN NS g.root-servers.net.
. 518400 IN NS h.root-servers.net.
. 518400 IN NS i.root-servers.net.
. 518400 IN NS j.root-servers.net.
. 518400 IN NS k.root-servers.net.
. 518400 IN NS l.root-servers.net.
. 518400 IN NS m.root-servers.net.
;; ADDITIONAL SECTION:
a.root-servers.net. 518400 IN A 198.41.0.4
b.root-servers.net. 518400 IN A 199.9.14.201
c.root-servers.net. 518400 IN A 192.33.4.12
d.root-servers.net. 518400 IN A 199.7.91.13
e.root-servers.net. 518400 IN A 192.203.230.10
f.root-servers.net. 518400 IN A 192.5.5.241
g.root-servers.net. 518400 IN A 192.112.36.4
h.root-servers.net. 518400 IN A 198.97.190.53
i.root-servers.net. 518400 IN A 192.36.148.17
j.root-servers.net. 518400 IN A 192.58.128.30
k.root-servers.net. 518400 IN A 193.0.14.129
l.root-servers.net. 518400 IN A 199.7.83.42
m.root-servers.net. 518400 IN A 202.12.27.33
a.root-servers.net. 518400 IN AAAA 2001:503:ba3e::2:30
b.root-servers.net. 518400 IN AAAA 2001:500:200::b
c.root-servers.net. 518400 IN AAAA 2001:500:2::c
d.root-servers.net. 518400 IN AAAA 2001:500:2d::d
e.root-servers.net. 518400 IN AAAA 2001:500:a8::e
f.root-servers.net. 518400 IN AAAA 2001:500:2f::f
g.root-servers.net. 518400 IN AAAA 2001:500:12::d0d
h.root-servers.net. 518400 IN AAAA 2001:500:1::53
i.root-servers.net. 518400 IN AAAA 2001:7fe::53
j.root-servers.net. 518400 IN AAAA 2001:503:c27::2:30
k.root-servers.net. 518400 IN AAAA 2001:7fd::1
l.root-servers.net. 518400 IN AAAA 2001:500:9f::42
m.root-servers.net. 518400 IN AAAA 2001:dc3::35
;; Query time: 24 msec
;; SERVER: 198.41.0.4#53(198.41.0.4)
;; WHEN: Thu Apr 05 15:57:34 CEST 2018
;; MSG SIZE rcvd: 811

19
SOURCES/named.root.key Normal file
View File

@ -0,0 +1,19 @@
managed-keys {
# ROOT KEYS: See https://data.iana.org/root-anchors/root-anchors.xml
# for current trust anchor information.
#
# This key (20326) was published in the root zone in 2017.
# Servers which were already using the old key (19036) should
# roll seamlessly to this new one via RFC 5011 rollover. Servers
# being set up for the first time can use the contents of this
# file as initializing keys; thereafter, the keys in the
# managed key database will be trusted and maintained
# automatically.
. initial-key 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3
+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv
ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF
0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e
oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd
RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN
R1AkUTV74bU=";
};

3
SOURCES/named.service
View File

@ -15,8 +15,7 @@ PIDFile=/run/named/named.pid
ExecStartPre=/bin/bash -c 'if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi'
ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} $OPTIONS
ExecReload=/bin/sh -c '/usr/sbin/rndc reload > /dev/null 2>&1 || /bin/kill -HUP $MAINPID'
ExecReload=/bin/sh -c 'if /usr/sbin/rndc null > /dev/null 2>&1; then /usr/sbin/rndc reload; else /bin/kill -HUP $MAINPID; fi'
ExecStop=/bin/sh -c '/usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID'

339
SPECS/bind.spec
View File

@ -1,14 +1,14 @@
#
# Red Hat BIND package .spec file
#
# vim:expandtab ts=2:
%global PATCHVER P2
#%%global PATCHVER P1
#%%global PREVER rc1
%global BINDVERSION %{version}%{?PREVER}%{?PATCHVER:-%{PATCHVER}}
# bcond_without is built by default, unless --without X is passed
# bcond_with is built only when --with X is passed to build
%bcond_without UNITTEST
%bcond_with SYSTEMTEST
%bcond_without SDB
%bcond_without GSSTSIG
@ -19,12 +19,18 @@
%bcond_with LMDB
%bcond_with DLZ
%bcond_without EXPORT_LIBS
%if 0%{?fedora} >= 17
%bcond_without KYUA
%bcond_without GEOIP
%else
%bcond_with KYUA
# Legacy GeoIP support
%bcond_with GEOIP
%if 0%{?fedora} >= 28 || 0%{?rhel} >= 8
%bcond_without UNITTEST
%else
%bcond_with UNITTEST
%endif
%if 0%{?fedora} >= 28 || 0%{?rhel} >= 8
# New MaxMind GeoLite support
%bcond_without GEOIP2
%else
%bcond_with GEOIP2
%endif
%{?!bind_uid: %global bind_uid 25}
@ -34,6 +40,10 @@
%if %{with SDB}
%global chroot_sdb_prefix %{bind_dir}/chroot_sdb
%endif
%global chroot_create_directories /dev /run/named %{_localstatedir}/{log,named,tmp} \\\
%{_sysconfdir}/{crypto-policies/back-ends,pki/dnssec-keys,named} \\\
%{_libdir}/bind %{_datadir}/GeoIP
## The order of libs is important. See lib/Makefile.in for details
%define bind_export_libs isc dns isccfg irs
%{!?_export_dir:%global _export_dir /bind9-export/}
@ -44,16 +54,16 @@
#
# lib*.so.X versions of selected libraries
%global sover_dns 1102
%global sover_isc 169
%global sover_irs 160
%global sover_isccfg 160
%global sover_dns 1107
%global sover_isc 1104
%global sover_irs 161
%global sover_isccfg 163
Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) server
Name: bind
License: MPLv2.0
Version: 9.11.4
Release: 22%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist}
Version: 9.11.13
Release: 1%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist}
Epoch: 32
Url: http://www.isc.org/products/BIND/
#
@ -63,9 +73,16 @@ Source3: named.logrotate
Source7: bind-9.3.1rc1-sdb_tools-Makefile.in
Source8: dnszone.schema
Source12: README.sdb_pgsql
Source16: named.conf
# Refresh by command: dig @a.root-servers.net. +tcp +norec
# or from URL
Source17: https://www.internic.net/domain/named.root
Source18: named.localhost
Source19: named.loopback
Source20: named.empty
Source23: named.rfc1912.zones
Source25: named.conf.sample
Source26: named.conf
Source28: config-18.tar.bz2
Source27: named.root.key
Source30: ldap2zone.c
Source31: ldap2zone.1
Source32: named-sdb.8
@ -111,6 +128,8 @@ Patch140:bind-9.11-rh1410433.patch
Patch145:bind-9.11-rh1205168.patch
# [ISC-Bugs #46853] commit cb616c6d5c2ece1fac37fa6e0bca2b53d4043098 ISC 4851
Patch149:bind-9.11-kyua-pkcs11.patch
# Avoid conflicts with OpenSSL PKCS11 engine
Patch150:bind-9.11-engine-pkcs11.patch
Patch153:bind-9.11-export-suffix.patch
Patch154:bind-9.11-oot-manual.patch
Patch155:bind-9.11-pk11.patch
@ -121,19 +140,19 @@ Patch157:bind-9.11-fips-tests.patch
# commit 083461d3329ff6f2410745848a926090586a9846
Patch158:bind-9.11-rh1624100.patch
Patch159:bind-9.11-host-idn-disable.patch
Patch160:bind-9.11-CVE-2018-5744.patch
Patch161:bind-9.11-CVE-2018-5744-test.patch
Patch162:bind-9.11-CVE-2018-5743.patch
Patch163:bind-9.11-CVE-2018-5743-atomic.patch
Patch164:bind-9.11-fips-code-includes.patch
# [RT #31459] commit 06a8051d2476fb526fe6960832209392c763a9af
Patch165:bind-9.11-rt31459.patch
# [RT #46047] commit 24172bd2eeba91441ab1c65d2717b0692309244a ISC 4724
Patch166:bind-9.11-rt46047.patch
Patch167:bind-9.11-rh1668682.patch
# random_test fails too often by random, disable it
Patch168:bind-9.11-unit-disable-random.patch
Patch169: bind-9.11-rt46047-2.patch
Patch170:bind-9.11-CVE-2019-6471.patch
Patch174:bind-9.11-fips-disable.patch
# Make sure jsonccp-devel does not interfere
Patch175:bind-9.11-json-c.patch
Patch177:bind-9.11-serve-stale.patch
Patch178:bind-9.11-dhcp-time-monotonic.patch
# SDB patches
Patch11: bind-9.3.2b2-sdbsrc.patch
@ -169,26 +188,22 @@ BuildRequires: systemd
BuildRequires: python3-devel
BuildRequires: python3-ply
BuildRequires: findutils sed
%if %{with GEOIP}
BuildRequires: GeoIP-devel
%endif
%if %{with SDB}
BuildRequires: openldap-devel, postgresql-devel, sqlite-devel, mariadb-connector-c-devel
BuildRequires: libdb-devel
%endif
%if %{with KYUA}
%if %{with UNITTEST}
# make unit dependencies
BuildRequires: libatf-c-devel kyua
%else
# shipped atf library requires c++
BuildRequires: gcc-c++
BuildRequires: libcmocka-devel kyua
%endif
%if %{with PKCS11}
BuildRequires: softhsm
%endif
%if %{with SYSTEMTEST}
# bin/tests/system dependencies
BuildRequires: net-tools perl(Net::DNS) perl(Net::DNS::Nameserver)
BuildRequires: perl(Net::DNS) perl(Net::DNS::Nameserver) perl(Time::HiRes) perl(Getopt::Long)
# manual configuration requires this tool
BuildRequires: iproute
%endif
%if %{with GSSTSIG}
BuildRequires: krb5-devel
@ -196,6 +211,12 @@ BuildRequires: krb5-devel
%if %{with LMDB}
BuildRequires: lmdb-devel
%endif
%if %{with GEOIP}
BuildRequires: GeoIP-devel
%endif
%if %{with GEOIP2}
BuildRequires: libmaxminddb-devel
%endif
# Needed to regenerate dig.1 manpage
BuildRequires: docbook-style-xsl, libxslt
@ -323,6 +344,13 @@ required for development with ISC BIND 9
%package lite-devel
Summary: Lite version of header files and libraries needed for BIND DNS development
Requires: bind-libs-lite%{?_isa} = %{epoch}:%{version}-%{release}
Requires: openssl-devel%{?_isa} libxml2-devel%{?_isa}
%if %{with GEOIP}
Requires: GeoIP-devel%{?_isa}
%endif
%if %{with GEOIP2}
Requires: libmaxminddb-devel%{?_isa}
%endif
%description lite-devel
The bind-lite-devel package contains lite version of the header
@ -454,7 +482,7 @@ are used for building ISC DHCP.
%patch72 -p1 -b .64bit
%endif
%patch102 -p1 -b .rh452060
%patch106 -p0 -b .rh490837
%patch106 -p1 -b .rh490837
%patch109 -p1 -b .rh478718
%patch112 -p1 -b .rh645544
%patch130 -p1 -b .libdb
@ -468,16 +496,15 @@ are used for building ISC DHCP.
%patch157 -p1 -b .fips-tests
%patch158 -p1 -b .rh1624100
%patch159 -p1 -b .host-idn-disable
%patch160 -p1 -b .CVE-2018-5744
%patch161 -p1 -b .CVE-2018-5744-test
%patch162 -p1 -b .CVE-2018-5743
%patch163 -p1 -b .CVE-2018-5743-atomic
%patch164 -p1 -b .fips-includes
%patch165 -p1 -b .rt31459
%patch166 -p1 -b .rt46047
%patch167 -p1 -b .rh1668682
%patch168 -p1 -b .random_test-disable
%patch169 -p1 -b .rt46047-2
%patch170 -p1 -b .CVE-2019-6471
%patch174 -p1 -b .rh1737407
%patch175 -p1 -b .json-c
%patch177 -p1 -b .serve-stale
%patch178 -p1 -b .time-monotonic
mkdir lib/dns/tests/testdata/dstrandom
cp -a %{SOURCE50} lib/dns/tests/testdata/dstrandom/random.data
@ -489,6 +516,7 @@ cp -r lib/isc{,-pkcs11}
cp -r lib/dns{,-pkcs11}
%patch136 -p1 -b .dist_pkcs11
%patch149 -p1 -b .kyua-pkcs11
%patch150 -p1 -b .engine-pkcs11
%endif
%if %{with SDB}
@ -538,10 +566,9 @@ done
# normal and pkcs11 unit tests
%define unit_prepare_build() \
cp -uv Kyuafile Atffile "%{1}/" \
cp -uv Kyuafile "%{1}/" \
find lib -name 'K*.key' -exec cp -uv '{}' "%{1}/{}" ';' \
find lib -name 'Kyuafile' -exec cp -uv '{}' "%{1}/{}" ';' \
find lib -name 'Atffile' -exec cp -uv '{}' "%{1}/{}" ';' \
find lib -name 'testdata' -type d -exec cp -Tav '{}' "%{1}/{}" ';' \
find lib -name 'testkeys' -type d -exec cp -Tav '{}' "%{1}/{}" ';' \
@ -549,14 +576,6 @@ done
cp -Tuav bin/tests "%{1}/bin/tests/" \
cp -uv version "%{1}" \
%if %{with KYUA}
# Use system installed libatf-c library with kyua tool
ATF_PATH=/usr
%else
# Use bundled atf library with atf-run
ATF_PATH=yes
%endif
export CFLAGS="$CFLAGS $RPM_OPT_FLAGS"
export CPPFLAGS="$CPPFLAGS -DDIG_SIGCHASE"
export STD_CDEFINES="$CPPFLAGS"
@ -582,11 +601,14 @@ export LIBDIR_SUFFIX
--disable-static \
--includedir=%{_includedir}/bind9 \
--with-tuning=large \
--with-libidn2 \
--enable-openssl-hash \
%if %{with GEOIP}
--with-geoip \
%endif
--with-libidn2 \
--enable-openssl-hash \
%if %{with GEOIP2}
--with-geoip2 \
%endif
%if %{with PKCS11}
--enable-native-pkcs11 \
--with-pkcs11=%{_libdir}/pkcs11/libsofthsm2.so \
@ -609,7 +631,7 @@ export LIBDIR_SUFFIX
--with-lmdb=no \
%endif
%if %{with UNITTEST}
--with-atf=${ATF_PATH} \
--with-cmocka \
%endif
--enable-fixed-rrset \
--with-docbook-xsl=%{_datadir}/sgml/docbook/xsl-stylesheets \
@ -632,16 +654,6 @@ pushd bin/python
make man
popd
%if ! %{with KYUA}
# Do not build atf again for export libs
ATF_PATH="`pwd`/unit/atf"
# Atf libs are built. Prevent their installation
sed -i -e \
'/^SUBDIRS =/s/atf-src//i' \
unit/Makefile
%endif
%if %{with DLZ}
pushd contrib/dlz
pushd bin/dlzbdb
@ -680,7 +692,7 @@ export LIBDIR_SUFFIX
--disable-isc-spnego \
%endif
%if %{with UNITTEST}
--with-atf=${ATF_PATH} \
--with-cmocka \
%endif
--enable-fixed-rrset \
--disable-rpz-nsip \
@ -704,10 +716,6 @@ sed -i -e \
"/^SUBDIRS =/s/.*/SUBDIRS = %{bind_export_libs}/i" \
lib/Makefile
sed -i -e \
'/^SUBDIRS =/s/atf-src//i' \
unit/Makefile
for lib in %{bind_export_libs}
do
find . -name Makefile -exec sed "s/lib${lib}\./lib${lib}-export\./g" -i {} \;
@ -721,11 +729,15 @@ popd
# export library unit tests
%unit_prepare_build export-libs
# Do not try pkcs11 and lwres in export libs
sed -e '/^\s*include(.*-pkcs11/ d' -e '/^\s*include(.*lwres/ d' \
# Test just compiled libraries
for lib in %{bind_export_libs}
do
sed -e "s,^\s*include(.*${lib}/.*,-- use &," \
-i export-libs/lib/Kyuafile
done
sed -e "/^\s*include(/ d" -e 's/^-- use //' \
-i export-libs/lib/Kyuafile
sed -e '/^tp:.*-pkcs11/ d' -e '/^tp:\s*lwres/ d' \
-i export-libs/lib/Atffile
## End of export libs
%endif
@ -759,68 +771,73 @@ sed -e '/^tp:.*-pkcs11/ d' -e '/^tp:\s*lwres/ d' \
%endif
%if %{with SYSTEMTEST}
if [ "`whoami`" = 'root' ]; then
# Runs system test if ip addresses are already configured
# or it is able to configure them
if perl bin/tests/system/testsock.pl
then
CONFIGURED=already
else
CONFIGURED=
sh bin/tests/system/ifconfig.sh up
perl bin/tests/system/testsock.pl && CONFIGURED=build
fi
if [ -n "$CONFIGURED" ]
then
set -e
chmod -R a+rwX .
pushd bin/tests
pushd system
./ifconfig.sh up
popd
make test
pushd build/bin/tests
chown -R ${USER} . # Can be unknown user
make test %{?_smp_mflags} 2>&1 | tee test.log
e=$?
pushd system
./ifconfig.sh down
popd
popd
[ "$CONFIGURED" = build ] && sh bin/tests/system/ifconfig.sh down
if [ "$e" -ne 0 ]; then
echo "ERROR: this build of BIND failed 'make test'. Aborting."
exit $e;
fi;
else
echo 'only root can run the tests (they require an ifconfig).'
echo 'SKIPPED: tests require root, CAP_NET_ADMIN or already configured test addresses.'
fi
%endif
:
%install
# Build directory hierarchy
mkdir -p ${RPM_BUILD_ROOT}/etc/logrotate.d
mkdir -p ${RPM_BUILD_ROOT}%{_sysconfdir}/logrotate.d
mkdir -p ${RPM_BUILD_ROOT}%{_libdir}/bind
mkdir -p ${RPM_BUILD_ROOT}/var/named/{slaves,data,dynamic}
mkdir -p ${RPM_BUILD_ROOT}%{_localstatedir}/named/{slaves,data,dynamic}
mkdir -p ${RPM_BUILD_ROOT}%{_mandir}/{man1,man5,man8}
mkdir -p ${RPM_BUILD_ROOT}/run/named
mkdir -p ${RPM_BUILD_ROOT}/var/log
mkdir -p ${RPM_BUILD_ROOT}%{_localstatedir}/log
#chroot
mkdir -p ${RPM_BUILD_ROOT}/%{chroot_prefix}/{dev,etc,var,run/named}
mkdir -p ${RPM_BUILD_ROOT}/%{chroot_prefix}/var/{log,named,tmp}
mkdir -p ${RPM_BUILD_ROOT}/%{chroot_prefix}/etc/crypto-policies/back-ends
for D in %{chroot_create_directories}
do
mkdir -p ${RPM_BUILD_ROOT}/%{chroot_prefix}${D}
done
# create symlink as it is on real filesystem
pushd ${RPM_BUILD_ROOT}/%{chroot_prefix}/var
ln -s ../run run
popd
mkdir -p ${RPM_BUILD_ROOT}/%{chroot_prefix}/etc/{pki/dnssec-keys,named}
mkdir -p ${RPM_BUILD_ROOT}/%{chroot_prefix}/%{_libdir}/bind
# these are required to prevent them being erased during upgrade of previous
touch ${RPM_BUILD_ROOT}/%{chroot_prefix}/etc/named.conf
touch ${RPM_BUILD_ROOT}/%{chroot_prefix}%{_sysconfdir}/named.conf
#end chroot
#sdb-chroot
%if %{with SDB}
mkdir -p ${RPM_BUILD_ROOT}/%{chroot_sdb_prefix}/{dev,etc,var,run/named}
mkdir -p ${RPM_BUILD_ROOT}/%{chroot_sdb_prefix}/var/{log,named,tmp}
mkdir -p ${RPM_BUILD_ROOT}/%{chroot_sdb_prefix}/etc/crypto-policies/back-ends
for D in %{chroot_create_directories}
do
mkdir -p ${RPM_BUILD_ROOT}/%{chroot_sdb_prefix}${D}
done
# create symlink as it is on real filesystem
pushd ${RPM_BUILD_ROOT}/%{chroot_sdb_prefix}/var
pushd ${RPM_BUILD_ROOT}/%{chroot_sdb_prefix}%{_localstatedir}
ln -s ../run run
popd
mkdir -p ${RPM_BUILD_ROOT}/%{chroot_sdb_prefix}/etc/{pki/dnssec-keys,named}
mkdir -p ${RPM_BUILD_ROOT}/%{chroot_sdb_prefix}/%{_libdir}/bind
# these are required to prevent them being erased during upgrade of previous
touch ${RPM_BUILD_ROOT}/%{chroot_sdb_prefix}/etc/named.conf
touch ${RPM_BUILD_ROOT}/%{chroot_sdb_prefix}%{_sysconfdir}/named.conf
%endif
#end sdb-chroot
@ -924,7 +941,6 @@ install -m 644 %{SOURCE34} ${RPM_BUILD_ROOT}%{_mandir}/man1/zone2sqlite.1
pushd ${RPM_BUILD_ROOT}%{_mandir}/man8
ln -s named.8.gz named-pkcs11.8.gz
ln -s dnssec-checkds.8.gz dnssec-checkds-pkcs11.8.gz
ln -s dnssec-coverage.8.gz dnssec-coverage-pkcs11.8.gz
ln -s dnssec-dsfromkey.8.gz dnssec-dsfromkey-pkcs11.8.gz
ln -s dnssec-keyfromlabel.8.gz dnssec-keyfromlabel-pkcs11.8.gz
ln -s dnssec-keygen.8.gz dnssec-keygen-pkcs11.8.gz
@ -939,20 +955,28 @@ popd
touch ${RPM_BUILD_ROOT}%{_localstatedir}/log/named.log
# configuration files:
tar -C ${RPM_BUILD_ROOT} -xjf %{SOURCE28}
install -m 640 %{SOURCE26} ${RPM_BUILD_ROOT}/etc/named.conf
touch ${RPM_BUILD_ROOT}/etc/rndc.key
touch ${RPM_BUILD_ROOT}/etc/rndc.conf
mkdir ${RPM_BUILD_ROOT}/etc/named
install -m 644 %{SOURCE36} ${RPM_BUILD_ROOT}/etc/trusted-key.key
install -m 640 %{SOURCE16} ${RPM_BUILD_ROOT}%{_sysconfdir}/named.conf
touch ${RPM_BUILD_ROOT}%{_sysconfdir}/rndc.{key,conf}
install -m 644 %{SOURCE27} ${RPM_BUILD_ROOT}%{_sysconfdir}/named.root.key
install -m 644 %{SOURCE36} ${RPM_BUILD_ROOT}%{_sysconfdir}/trusted-key.key
mkdir -p ${RPM_BUILD_ROOT}%{_sysconfdir}/named
# data files:
mkdir -p ${RPM_BUILD_ROOT}%{_localstatedir}/named
install -m 640 %{SOURCE17} ${RPM_BUILD_ROOT}%{_localstatedir}/named/named.ca
install -m 640 %{SOURCE18} ${RPM_BUILD_ROOT}%{_localstatedir}/named/named.localhost
install -m 640 %{SOURCE19} ${RPM_BUILD_ROOT}%{_localstatedir}/named/named.loopback
install -m 640 %{SOURCE20} ${RPM_BUILD_ROOT}%{_localstatedir}/named/named.empty
install -m 640 %{SOURCE23} ${RPM_BUILD_ROOT}%{_sysconfdir}/named.rfc1912.zones
# sample bind configuration files for %%doc:
mkdir -p sample/etc sample/var/named/{data,slaves}
install -m 644 %{SOURCE25} sample/etc/named.conf
# Copy default configuration to %%doc to make it usable from system-config-bind
install -m 644 %{SOURCE26} named.conf.default
install -m 644 ${RPM_BUILD_ROOT}/etc/named.rfc1912.zones sample/etc/named.rfc1912.zones
install -m 644 ${RPM_BUILD_ROOT}/var/named/{named.ca,named.localhost,named.loopback,named.empty} sample/var/named
install -m 644 %{SOURCE16} named.conf.default
install -m 644 %{SOURCE23} sample/etc/named.rfc1912.zones
install -m 644 %{SOURCE18} %{SOURCE19} %{SOURCE20} sample/var/named
install -m 644 %{SOURCE17} sample/var/named/named.ca
for f in my.internal.zone.db slaves/my.slave.internal.zone.db slaves/my.ddns.internal.zone.db my.external.zone.db; do
echo '@ in soa localhost. root 1 3H 15M 1W 1D
ns localhost.' > sample/var/named/$f;
@ -1200,9 +1224,9 @@ rm -rf ${RPM_BUILD_ROOT}
%endif
%files libs
%{_libdir}/libbind9.so.160*
%{_libdir}/libisccc.so.160*
%{_libdir}/liblwres.so.160*
%{_libdir}/libbind9.so.161*
%{_libdir}/libisccc.so.161*
%{_libdir}/liblwres.so.161*
%files libs-lite
%{_libdir}/libdns.so.%{sover_dns}*
@ -1300,27 +1324,28 @@ rm -rf ${RPM_BUILD_ROOT}
%defattr(0640,root,named,0750)
%dir %{chroot_prefix}
%dir %{chroot_prefix}/dev
%dir %{chroot_prefix}/etc
%dir %{chroot_prefix}/etc/named
%dir %{chroot_prefix}/etc/pki
%dir %{chroot_prefix}/etc/pki/dnssec-keys
%dir %{chroot_prefix}/etc/crypto-policies
%dir %{chroot_prefix}/etc/crypto-policies/back-ends
%dir %{chroot_prefix}/var
%dir %{chroot_prefix}%{_sysconfdir}
%dir %{chroot_prefix}%{_sysconfdir}/named
%dir %{chroot_prefix}%{_sysconfdir}/pki
%dir %{chroot_prefix}%{_sysconfdir}/pki/dnssec-keys
%dir %{chroot_prefix}%{_sysconfdir}/crypto-policies
%dir %{chroot_prefix}%{_sysconfdir}/crypto-policies/back-ends
%dir %{chroot_prefix}%{_localstatedir}
%dir %{chroot_prefix}/run
%ghost %config(noreplace) %{chroot_prefix}/etc/named.conf
%ghost %config(noreplace) %{chroot_prefix}%{_sysconfdir}/named.conf
%defattr(-,root,root,-)
%dir %{chroot_prefix}/usr
%dir %{chroot_prefix}/%{_libdir}
%dir %{chroot_prefix}/%{_libdir}/bind
%dir %{chroot_prefix}/%{_datadir}/GeoIP
%defattr(0660,root,named,01770)
%dir %{chroot_prefix}/var/named
%dir %{chroot_prefix}%{_localstatedir}/named
%defattr(0660,named,named,0770)
%dir %{chroot_prefix}/var/tmp
%dir %{chroot_prefix}/var/log
%dir %{chroot_prefix}%{_localstatedir}/tmp
%dir %{chroot_prefix}%{_localstatedir}/log
%defattr(-,named,named,-)
%dir %{chroot_prefix}/run/named
%{chroot_prefix}/var/run
%{chroot_prefix}%{_localstatedir}/run
%if %{with SDB}
%files sdb-chroot
@ -1336,27 +1361,28 @@ rm -rf ${RPM_BUILD_ROOT}
%defattr(0640,root,named,0750)
%dir %{chroot_sdb_prefix}
%dir %{chroot_sdb_prefix}/dev
%dir %{chroot_sdb_prefix}/etc
%dir %{chroot_sdb_prefix}/etc/named
%dir %{chroot_sdb_prefix}/etc/pki
%dir %{chroot_sdb_prefix}/etc/pki/dnssec-keys
%dir %{chroot_sdb_prefix}/etc/crypto-policies
%dir %{chroot_sdb_prefix}/etc/crypto-policies/back-ends
%dir %{chroot_sdb_prefix}/var
%dir %{chroot_sdb_prefix}%{_sysconfdir}
%dir %{chroot_sdb_prefix}%{_sysconfdir}/named
%dir %{chroot_sdb_prefix}%{_sysconfdir}/pki
%dir %{chroot_sdb_prefix}%{_sysconfdir}/pki/dnssec-keys
%dir %{chroot_sdb_prefix}%{_sysconfdir}/crypto-policies
%dir %{chroot_sdb_prefix}%{_sysconfdir}/crypto-policies/back-ends
%dir %{chroot_sdb_prefix}%{_localstatedir}
%dir %{chroot_sdb_prefix}/run
%ghost %config(noreplace) %{chroot_sdb_prefix}/etc/named.conf
%ghost %config(noreplace) %{chroot_sdb_prefix}%{_sysconfdir}/named.conf
%defattr(0660,root,named,01770)
%dir %{chroot_sdb_prefix}/var/named
%dir %{chroot_sdb_prefix}%{_localstatedir}/named
%defattr(-,root,root,-)
%dir %{chroot_sdb_prefix}/usr
%dir %{chroot_sdb_prefix}/%{_libdir}
%dir %{chroot_sdb_prefix}/%{_libdir}/bind
%dir %{chroot_sdb_prefix}/%{_datadir}/GeoIP
%defattr(0660,named,named,0770)
%dir %{chroot_sdb_prefix}/var/tmp
%dir %{chroot_sdb_prefix}/var/log
%dir %{chroot_sdb_prefix}%{_localstatedir}/tmp
%dir %{chroot_sdb_prefix}%{_localstatedir}/log
%defattr(-,named,named,-)
%dir %{chroot_sdb_prefix}/run/named
%{chroot_sdb_prefix}/var/run
%{chroot_sdb_prefix}%{_localstatedir}/run
%endif
%if %{with PKCS11}
@ -1374,6 +1400,9 @@ rm -rf ${RPM_BUILD_ROOT}
%{_sbindir}/pkcs11-tokens
%{_mandir}/man8/pkcs11*.8*
%{_mandir}/man8/dnssec*-pkcs11.8*
%{_mandir}/man8/dnssec*.8*
%exclude %{_mandir}/man8/dnssec-coverage.8*
%exclude %{_mandir}/man8/dnssec-keymgr.8*
%files pkcs11-libs
%{_libdir}/libdns-pkcs11.so.%{sover_dns}*
@ -1453,6 +1482,49 @@ rm -rf ${RPM_BUILD_ROOT}
%changelog
* Tue Nov 19 2019 Petr Menšík <pemensik@redhat.com> - 32:9.11.13-1
- Update to 9.11.13
* Tue Nov 19 2019 Petr Menšík <pemensik@redhat.com> - 32:9.11.12-5
- Report failures on systemctl reload (#1739428)
* Mon Nov 18 2019 Pavel Zhukov <pzhukov@redhat.com> - 32:9.11.12-4
- dhcp: Use monotonic time for detecting time jumps if available (#1729211)
* Fri Nov 15 2019 Petr Menšík <pemensik@redhat.com> - 32:9.11.12-3
- Backported serve-stale feature (#1664863)
* Thu Nov 07 2019 Petr Menšík <pemensik@redhat.com> - 32:9.11.12-2
- Add GeoLite2 support (#1564443)
- Add GeoIP to bind-chroot (#1497646)
- Fix wrong default GeoIP directory (#1768258)
* Mon Oct 21 2019 Petr Menšík <pemensik@redhat.com> - 32:9.11.12-1
- Update to 9.11.12 (#1557762)
* Wed Sep 25 2019 Petr Menšík <pemensik@redhat.com> - 32:9.11.11-1
- Update to 9.11.11
* Tue Aug 27 2019 Petr Menšík <pemensik@redhat.com> - 32:9.11.10-1
- Update to 9.11.10
- Share pkcs11-utils and dnssec-utils manuals instead of recommend
* Thu Aug 08 2019 Petr Menšík <pemensik@redhat.com> - 32:9.11.7-1
- Update to 9.11.7
* Thu Aug 08 2019 Petr Menšík <pemensik@redhat.com> - 32:9.11.4-26.P2
- Permit explicit disabling of RSAMD5 in FIPS mode (#1737407)
* Wed Jul 17 2019 Petr Menšík <pemensik@redhat.com> - 32:9.11.4-25.P2
- Fix CVE-2018-5745
- Fix CVE-2019-6465
* Wed Jul 17 2019 Petr Menšík <pemensik@redhat.com> - 32:9.11.4-24.P2
- Do not override random numbers provider in DHCP (#1668682)
* Wed Jul 17 2019 Petr Menšík <pemensik@redhat.com> - 32:9.11.4-23.P2
- Report errors on invalid IDN 2008 names (#1679307)
* Wed Jun 19 2019 Petr Menšík <pemensik@redhat.com> - 32:9.11.4-22.P2
- Fix CVE-2019-6471
@ -1466,6 +1538,7 @@ rm -rf ${RPM_BUILD_ROOT}
- Add support for OpenSSL provided random data
- Disable often failing unit test random_test
- Add /dev/urandom to chroot
* Wed Apr 24 2019 Petr Menšík <pemensik@redhat.com> - 32:9.11.4-18.P2
- Fix zone2ldap tool memory management (#1602451)
- Add support for OpenSSL provided random data