From 29cf07efaf55ba075b2e7414d7f41d7624ff3f21 Mon Sep 17 00:00:00 2001 From: James Antill Date: Mon, 27 Feb 2023 12:22:46 -0500 Subject: [PATCH] Import rpm: c8s --- .gitignore | 2 + bind-9.10-dist-native-pkcs11.patch | 550 ++++ bind-9.11-feature-test-named.patch | 59 + bind-9.11-fips-tests.patch | 959 +++++++ bind-9.11-kyua-pkcs11.patch | 58 + bind-9.11-rh1666814.patch | 29 + bind-9.11-tests-variants.patch | 65 + bind-9.14-config-pkcs11.patch | 83 + bind-9.16-CVE-2021-25220-test.patch | 1144 ++++++++ bind-9.16-CVE-2021-25220.patch | 251 ++ bind-9.16-CVE-2022-0396.patch | 81 + bind-9.16-CVE-2022-2795.patch | 60 + bind-9.16-CVE-2022-3080.patch | 116 + bind-9.16-CVE-2022-3094-1.patch | 241 ++ bind-9.16-CVE-2022-3094-2.patch | 266 ++ bind-9.16-CVE-2022-3094-3.patch | 470 ++++ bind-9.16-CVE-2022-3094-test.patch | 272 ++ bind-9.16-CVE-2022-3736.patch | 53 + bind-9.16-CVE-2022-38177.patch | 27 + bind-9.16-CVE-2022-38178.patch | 32 + bind-9.16-CVE-2022-3924.patch | 128 + bind-9.16-redhat_doc.patch | 60 + bind-9.16.23.tar.xz.asc | 17 + bind-9.5-PIE.patch | 30 + bind-9.5-dlz-64bit.patch | 53 + bind-9.9.1-P2-dlz-libdb.patch | 31 + bind.tmpfiles.d | 1 + bind9.16.spec | 4035 +++++++++++++++++++++++++++ bind93-rh490837.patch | 34 + bind97-rh645544.patch | 31 + codesign2021.txt | 534 ++++ generate-rndc-key.sh | 33 + named-chroot-setup.service | 12 + named-chroot.files | 27 + named-chroot.service | 30 + named-pkcs11.service | 26 + named-setup-rndc.service | 7 + named.conf | 59 + named.conf.sample | 243 ++ named.empty | 10 + named.localhost | 10 + named.logrotate | 12 + named.loopback | 11 + named.rfc1912.zones | 45 + named.root | 61 + named.root.key | 13 + named.rwtab | 6 + named.service | 25 + named.sysconfig | 17 + setup-named-chroot.sh | 117 + setup-named-softhsm.sh | 124 + sources | 1 + trusted-key.key | 1 + 53 files changed, 10662 insertions(+) create mode 100644 .gitignore create mode 100644 bind-9.10-dist-native-pkcs11.patch create mode 100644 bind-9.11-feature-test-named.patch create mode 100644 bind-9.11-fips-tests.patch create mode 100644 bind-9.11-kyua-pkcs11.patch create mode 100644 bind-9.11-rh1666814.patch create mode 100644 bind-9.11-tests-variants.patch create mode 100644 bind-9.14-config-pkcs11.patch create mode 100644 bind-9.16-CVE-2021-25220-test.patch create mode 100644 bind-9.16-CVE-2021-25220.patch create mode 100644 bind-9.16-CVE-2022-0396.patch create mode 100644 bind-9.16-CVE-2022-2795.patch create mode 100644 bind-9.16-CVE-2022-3080.patch create mode 100644 bind-9.16-CVE-2022-3094-1.patch create mode 100644 bind-9.16-CVE-2022-3094-2.patch create mode 100644 bind-9.16-CVE-2022-3094-3.patch create mode 100644 bind-9.16-CVE-2022-3094-test.patch create mode 100644 bind-9.16-CVE-2022-3736.patch create mode 100644 bind-9.16-CVE-2022-38177.patch create mode 100644 bind-9.16-CVE-2022-38178.patch create mode 100644 bind-9.16-CVE-2022-3924.patch create mode 100644 bind-9.16-redhat_doc.patch create mode 100644 bind-9.16.23.tar.xz.asc create mode 100644 bind-9.5-PIE.patch create mode 100644 bind-9.5-dlz-64bit.patch create mode 100644 bind-9.9.1-P2-dlz-libdb.patch create mode 100644 bind.tmpfiles.d create mode 100644 bind9.16.spec create mode 100644 bind93-rh490837.patch create mode 100644 bind97-rh645544.patch create mode 100644 codesign2021.txt create mode 100755 generate-rndc-key.sh create mode 100644 named-chroot-setup.service create mode 100644 named-chroot.files create mode 100644 named-chroot.service create mode 100644 named-pkcs11.service create mode 100644 named-setup-rndc.service create mode 100644 named.conf create mode 100644 named.conf.sample create mode 100644 named.empty create mode 100644 named.localhost create mode 100644 named.logrotate create mode 100644 named.loopback create mode 100644 named.rfc1912.zones create mode 100644 named.root create mode 100644 named.root.key create mode 100644 named.rwtab create mode 100644 named.service create mode 100644 named.sysconfig create mode 100755 setup-named-chroot.sh create mode 100755 setup-named-softhsm.sh create mode 100644 sources create mode 100644 trusted-key.key diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..e513f62 --- /dev/null +++ b/.gitignore @@ -0,0 +1,2 @@ +SOURCES/bind-9.16.23.tar.xz +/bind-9.16.23.tar.xz diff --git a/bind-9.10-dist-native-pkcs11.patch b/bind-9.10-dist-native-pkcs11.patch new file mode 100644 index 0000000..85ece30 --- /dev/null +++ b/bind-9.10-dist-native-pkcs11.patch @@ -0,0 +1,550 @@ +From 040227009453b3f0aa7914c7a6a94dc57ad5269b Mon Sep 17 00:00:00 2001 +From: Petr Mensik +Date: Thu, 21 Jan 2021 10:46:20 +0100 +Subject: [PATCH] Enable custom pkcs11 native build + +Share common parts like libisc, libcc and others. But provide native +pkcs11 libraries as a new copy of libdns and libns. +--- + bin/Makefile.in | 2 +- + bin/confgen/Makefile.in | 2 +- + bin/dnssec-pkcs11/Makefile.in | 39 +++++++++++++++++--------------- + bin/named-pkcs11/Makefile.in | 33 ++++++++++++++------------- + configure.ac | 19 ++++++++++++++++ + lib/Makefile.in | 2 +- + lib/dns-pkcs11/Makefile.in | 22 +++++++++--------- + lib/dns-pkcs11/tests/Makefile.in | 8 +++---- + lib/ns-pkcs11/Makefile.in | 26 ++++++++++----------- + lib/ns-pkcs11/tests/Makefile.in | 12 +++++----- + make/includes.in | 7 ++++++ + 11 files changed, 101 insertions(+), 71 deletions(-) + +diff --git a/bin/Makefile.in b/bin/Makefile.in +index 9ad7f62..094775a 100644 +--- a/bin/Makefile.in ++++ b/bin/Makefile.in +@@ -11,7 +11,7 @@ srcdir = @srcdir@ + VPATH = @srcdir@ + top_srcdir = @top_srcdir@ + +-SUBDIRS = named rndc dig delv dnssec tools nsupdate check confgen \ ++SUBDIRS = named named-pkcs11 rndc dig delv dnssec dnssec-pkcs11 tools nsupdate check confgen \ + @NZD_TOOLS@ @PYTHON_TOOLS@ @PKCS11_TOOLS@ plugins tests + TARGETS = + +diff --git a/bin/confgen/Makefile.in b/bin/confgen/Makefile.in +index c126bf3..1b7512d 100644 +--- a/bin/confgen/Makefile.in ++++ b/bin/confgen/Makefile.in +@@ -22,7 +22,7 @@ VERSION=@BIND9_VERSION@ + CINCLUDES = -I${srcdir}/include ${ISC_INCLUDES} ${ISCCC_INCLUDES} \ + ${ISCCFG_INCLUDES} ${DNS_INCLUDES} ${BIND9_INCLUDES} + +-CDEFINES = @USE_PKCS11@ ++CDEFINES = + CWARNINGS = + + ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@ +diff --git a/bin/dnssec-pkcs11/Makefile.in b/bin/dnssec-pkcs11/Makefile.in +index ace0e5a..e0f6a00 100644 +--- a/bin/dnssec-pkcs11/Makefile.in ++++ b/bin/dnssec-pkcs11/Makefile.in +@@ -15,18 +15,18 @@ VERSION=@BIND9_VERSION@ + + @BIND9_MAKE_INCLUDES@ + +-CINCLUDES = ${DNS_INCLUDES} ${ISC_INCLUDES} ${ISCCFG_INCLUDES} \ ++CINCLUDES = ${DNS_PKCS11_INCLUDES} ${ISC_INCLUDES} ${ISCCFG_INCLUDES} \ + ${OPENSSL_CFLAGS} + +-CDEFINES = -DVERSION=\"${VERSION}\" -DNAMED_CONFFILE=\"${sysconfdir}/named.conf\" ++CDEFINES = -DVERSION=\"${VERSION}\" -DNAMED_CONFFILE=\"${sysconfdir}/named.conf\" -DUSE_PKCS11=1 + CWARNINGS = + +-DNSLIBS = ../../lib/dns/libdns.@A@ @NO_LIBTOOL_DNSLIBS@ ++DNSLIBS = ../../lib/dns-pkcs11/libdns-pkcs11.@A@ @NO_LIBTOOL_DNSLIBS@ + ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@ + ISCLIBS = ../../lib/isc/libisc.@A@ @NO_LIBTOOL_ISCLIBS@ + ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@ @NO_LIBTOOL_ISCLIBS@ + +-DNSDEPLIBS = ../../lib/dns/libdns.@A@ ++DNSDEPLIBS = ../../lib/dns-pkcs11/libdns-pkcs11.@A@ + ISCDEPLIBS = ../../lib/isc/libisc.@A@ + ISCCFGDEPLIBS = ../../lib/isccfg/libisccfg.@A@ + +@@ -36,12 +36,15 @@ LIBS = ${DNSLIBS} ${ISCCFGLIBS} ${ISCLIBS} @LIBS@ + + NOSYMLIBS = ${DNSLIBS} ${ISCCFGLIBS} ${ISCNOSYMLIBS} @LIBS@ + ++# Add suffix to all targets ++EXEEXT = -pkcs11@EXEEXT@ ++ + # Alphabetically +-TARGETS = dnssec-cds@EXEEXT@ dnssec-dsfromkey@EXEEXT@ \ +- dnssec-importkey@EXEEXT@ dnssec-keyfromlabel@EXEEXT@ \ +- dnssec-keygen@EXEEXT@ dnssec-revoke@EXEEXT@ \ +- dnssec-settime@EXEEXT@ dnssec-signzone@EXEEXT@ \ +- dnssec-verify@EXEEXT@ ++TARGETS = dnssec-cds${EXEEXT} dnssec-dsfromkey${EXEEXT} \ ++ dnssec-importkey${EXEEXT} dnssec-keyfromlabel${EXEEXT} \ ++ dnssec-keygen${EXEEXT} dnssec-revoke${EXEEXT} \ ++ dnssec-settime${EXEEXT} dnssec-signzone${EXEEXT} \ ++ dnssec-verify${EXEEXT} + + OBJS = dnssectool.@O@ + +@@ -52,19 +55,19 @@ SRCS = dnssec-cds.c dnssec-dsfromkey.c dnssec-importkey.c \ + + @BIND9_MAKE_RULES@ + +-dnssec-cds@EXEEXT@: dnssec-cds.@O@ ${OBJS} ${DEPLIBS} ++dnssec-cds-pkcs11@EXEEXT@: dnssec-cds.@O@ ${OBJS} ${DEPLIBS} + export BASEOBJS="dnssec-cds.@O@ ${OBJS}"; \ + ${FINALBUILDCMD} + +-dnssec-dsfromkey@EXEEXT@: dnssec-dsfromkey.@O@ ${OBJS} ${DEPLIBS} ++dnssec-dsfromkey-pkcs11@EXEEXT@: dnssec-dsfromkey.@O@ ${OBJS} ${DEPLIBS} + export BASEOBJS="dnssec-dsfromkey.@O@ ${OBJS}"; \ + ${FINALBUILDCMD} + +-dnssec-keyfromlabel@EXEEXT@: dnssec-keyfromlabel.@O@ ${OBJS} ${DEPLIBS} ++dnssec-keyfromlabel-pkcs11@EXEEXT@: dnssec-keyfromlabel.@O@ ${OBJS} ${DEPLIBS} + export BASEOBJS="dnssec-keyfromlabel.@O@ ${OBJS}"; \ + ${FINALBUILDCMD} + +-dnssec-keygen@EXEEXT@: dnssec-keygen.@O@ ${OBJS} ${DEPLIBS} ++dnssec-keygen-pkcs11@EXEEXT@: dnssec-keygen.@O@ ${OBJS} ${DEPLIBS} + export BASEOBJS="dnssec-keygen.@O@ ${OBJS}"; \ + ${FINALBUILDCMD} + +@@ -72,7 +75,7 @@ dnssec-signzone.@O@: dnssec-signzone.c + ${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -DVERSION=\"${VERSION}\" \ + -c ${srcdir}/dnssec-signzone.c + +-dnssec-signzone@EXEEXT@: dnssec-signzone.@O@ ${OBJS} ${DEPLIBS} ++dnssec-signzone-pkcs11@EXEEXT@: dnssec-signzone.@O@ ${OBJS} ${DEPLIBS} + export BASEOBJS="dnssec-signzone.@O@ ${OBJS}"; \ + ${FINALBUILDCMD} + +@@ -80,19 +83,19 @@ dnssec-verify.@O@: dnssec-verify.c + ${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -DVERSION=\"${VERSION}\" \ + -c ${srcdir}/dnssec-verify.c + +-dnssec-verify@EXEEXT@: dnssec-verify.@O@ ${OBJS} ${DEPLIBS} ++dnssec-verify-pkcs11@EXEEXT@: dnssec-verify.@O@ ${OBJS} ${DEPLIBS} + export BASEOBJS="dnssec-verify.@O@ ${OBJS}"; \ + ${FINALBUILDCMD} + +-dnssec-revoke@EXEEXT@: dnssec-revoke.@O@ ${OBJS} ${DEPLIBS} ++dnssec-revoke-pkcs11@EXEEXT@: dnssec-revoke.@O@ ${OBJS} ${DEPLIBS} + ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \ + dnssec-revoke.@O@ ${OBJS} ${LIBS} + +-dnssec-settime@EXEEXT@: dnssec-settime.@O@ ${OBJS} ${DEPLIBS} ++dnssec-settime-pkcs11@EXEEXT@: dnssec-settime.@O@ ${OBJS} ${DEPLIBS} + ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \ + dnssec-settime.@O@ ${OBJS} ${LIBS} + +-dnssec-importkey@EXEEXT@: dnssec-importkey.@O@ ${OBJS} ${DEPLIBS} ++dnssec-importkey-pkcs11@EXEEXT@: dnssec-importkey.@O@ ${OBJS} ${DEPLIBS} + ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \ + dnssec-importkey.@O@ ${OBJS} ${LIBS} + +diff --git a/bin/named-pkcs11/Makefile.in b/bin/named-pkcs11/Makefile.in +index 98125dd..518a75f 100644 +--- a/bin/named-pkcs11/Makefile.in ++++ b/bin/named-pkcs11/Makefile.in +@@ -37,13 +37,14 @@ DBDRIVER_LIBS = + + DLZ_DRIVER_DIR = ${top_srcdir}/contrib/dlz/drivers + +-DLZDRIVER_OBJS = @DLZ_DRIVER_OBJS@ +-DLZDRIVER_SRCS = @DLZ_DRIVER_SRCS@ +-DLZDRIVER_INCLUDES = @DLZ_DRIVER_INCLUDES@ +-DLZDRIVER_LIBS = @DLZ_DRIVER_LIBS@ ++# Skip building on PKCS11 variant ++DLZDRIVER_OBJS = ++DLZDRIVER_SRCS = ++DLZDRIVER_INCLUDES = ++DLZDRIVER_LIBS = + + CINCLUDES = -I${srcdir}/include -I${srcdir}/unix/include -I. \ +- ${NS_INCLUDES} ${DNS_INCLUDES} \ ++ ${NS_PKCS11_INCLUDES} ${DNS_PKCS11_INCLUDES} \ + ${BIND9_INCLUDES} ${ISCCFG_INCLUDES} ${ISCCC_INCLUDES} \ + ${ISC_INCLUDES} ${DLZDRIVER_INCLUDES} \ + ${DBDRIVER_INCLUDES} \ +@@ -56,24 +57,24 @@ CINCLUDES = -I${srcdir}/include -I${srcdir}/unix/include -I. \ + ${LIBXML2_CFLAGS} \ + ${MAXMINDDB_CFLAGS} + +-CDEFINES = @CONTRIB_DLZ@ ++CDEFINES = + + CWARNINGS = + +-DNSLIBS = ../../lib/dns/libdns.@A@ @NO_LIBTOOL_DNSLIBS@ ++DNSLIBS = ../../lib/dns-pkcs11/libdns-pkcs11.@A@ @NO_LIBTOOL_DNSLIBS@ + ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@ + ISCCCLIBS = ../../lib/isccc/libisccc.@A@ + ISCLIBS = ../../lib/isc/libisc.@A@ @NO_LIBTOOL_ISCLIBS@ + ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@ @NO_LIBTOOL_ISCLIBS@ + BIND9LIBS = ../../lib/bind9/libbind9.@A@ +-NSLIBS = ../../lib/ns/libns.@A@ ++NSLIBS = ../../lib/ns-pkcs11/libns-pkcs11.@A@ + +-DNSDEPLIBS = ../../lib/dns/libdns.@A@ ++DNSDEPLIBS = ../../lib/dns-pkcs11/libdns-pkcs11.@A@ + ISCCFGDEPLIBS = ../../lib/isccfg/libisccfg.@A@ + ISCCCDEPLIBS = ../../lib/isccc/libisccc.@A@ + ISCDEPLIBS = ../../lib/isc/libisc.@A@ + BIND9DEPLIBS = ../../lib/bind9/libbind9.@A@ +-NSDEPLIBS = ../../lib/ns/libns.@A@ ++NSDEPLIBS = ../../lib/ns-pkcs11/libns-pkcs11.@A@ + + DEPLIBS = ${NSDEPLIBS} ${DNSDEPLIBS} ${BIND9DEPLIBS} \ + ${ISCCFGDEPLIBS} ${ISCCCDEPLIBS} ${ISCDEPLIBS} +@@ -93,7 +94,7 @@ NOSYMLIBS = ${NSLIBS} ${DNSLIBS} ${BIND9LIBS} \ + + SUBDIRS = unix + +-TARGETS = named@EXEEXT@ feature-test@EXEEXT@ ++TARGETS = named-pkcs11@EXEEXT@ feature-test-pkcs11@EXEEXT@ + + GEOIP2LINKOBJS = geoip.@O@ + +@@ -151,7 +152,7 @@ server.@O@: server.c + -DPRODUCT=\"${PRODUCT}\" \ + -DVERSION=\"${VERSION}\" -c ${srcdir}/server.c + +-named@EXEEXT@: ${OBJS} ${DEPLIBS} ++named-pkcs11@EXEEXT@: ${OBJS} ${DEPLIBS} + export MAKE_SYMTABLE="yes"; \ + export BASEOBJS="${OBJS} ${UOBJS}"; \ + ${FINALBUILDCMD} +@@ -161,7 +162,7 @@ feature-test.@O@: ${top_srcdir}/bin/tests/system/feature-test.c + ${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \ + -c ${top_srcdir}/bin/tests/system/feature-test.c + +-feature-test@EXEEXT@: feature-test.@O@ ++feature-test-pkcs11@EXEEXT@: feature-test.@O@ + ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} \ + -o $@ feature-test.@O@ ${ISCLIBS} ${LIBS} + +@@ -180,11 +181,11 @@ statschannel.@O@: bind9.xsl.h + installdirs: + $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir} + +-install:: named@EXEEXT@ installdirs +- ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named@EXEEXT@ ${DESTDIR}${sbindir} ++install:: named-pkcs11@EXEEXT@ installdirs ++ ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named-pkcs11@EXEEXT@ ${DESTDIR}${sbindir} + + uninstall:: +- ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/named@EXEEXT@ ++ ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/named-pkcs11@EXEEXT@ + + @DLZ_DRIVER_RULES@ + +diff --git a/configure.ac b/configure.ac +index 032228b..64e3da0 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -1251,12 +1251,14 @@ AC_SUBST(USE_GSSAPI) + AC_SUBST(DST_GSSAPI_INC) + AC_SUBST(DNS_GSSAPI_LIBS) + DNS_CRYPTO_LIBS="$DNS_GSSAPI_LIBS" ++DNS_CRYPTO_PK11_LIBS="$DNS_GSSAPI_LIBS $DNS_CRYPTO_PK11_LIBS" + + # + # Applications linking with libdns also need to link with these libraries. + # + + AC_SUBST(DNS_CRYPTO_LIBS) ++AC_SUBST(DNS_CRYPTO_PK11_LIBS) + + # + # was --with-lmdb specified? +@@ -2327,6 +2329,8 @@ AC_SUBST(BIND9_DNS_BUILDINCLUDE) + AC_SUBST(BIND9_NS_BUILDINCLUDE) + AC_SUBST(BIND9_BIND9_BUILDINCLUDE) + AC_SUBST(BIND9_IRS_BUILDINCLUDE) ++AC_SUBST(BIND9_DNS_PKCS11_BUILDINCLUDE) ++AC_SUBST(BIND9_NS_PKCS11_BUILDINCLUDE) + if test "X$srcdir" != "X"; then + BIND9_ISC_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/isc/include" + BIND9_ISCCC_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/isccc/include" +@@ -2335,6 +2339,8 @@ if test "X$srcdir" != "X"; then + BIND9_NS_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/ns/include" + BIND9_BIND9_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/bind9/include" + BIND9_IRS_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/irs/include" ++ BIND9_DNS_PKCS11_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/dns-pkcs11/include" ++ BIND9_NS_PKCS11_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/ns-pkcs11/include" + else + BIND9_ISC_BUILDINCLUDE="" + BIND9_ISCCC_BUILDINCLUDE="" +@@ -2343,6 +2349,8 @@ else + BIND9_NS_BUILDINCLUDE="" + BIND9_BIND9_BUILDINCLUDE="" + BIND9_IRS_BUILDINCLUDE="" ++ BIND9_DNS_PKCS11_BUILDINCLUDE="" ++ BIND9_NS_PKCS11_BUILDINCLUDE="" + fi + + AC_SUBST_FILE(BIND9_MAKE_INCLUDES) +@@ -2798,8 +2806,11 @@ AC_CONFIG_FILES([ + bin/delv/Makefile + bin/dig/Makefile + bin/dnssec/Makefile ++ bin/dnssec-pkcs11/Makefile + bin/named/Makefile + bin/named/unix/Makefile ++ bin/named-pkcs11/Makefile ++ bin/named-pkcs11/unix/Makefile + bin/nsupdate/Makefile + bin/pkcs11/Makefile + bin/plugins/Makefile +@@ -2861,6 +2872,10 @@ AC_CONFIG_FILES([ + lib/dns/include/dns/Makefile + lib/dns/include/dst/Makefile + lib/dns/tests/Makefile ++ lib/dns-pkcs11/Makefile ++ lib/dns-pkcs11/include/Makefile ++ lib/dns-pkcs11/include/dns/Makefile ++ lib/dns-pkcs11/include/dst/Makefile + lib/irs/Makefile + lib/irs/include/Makefile + lib/irs/include/irs/Makefile +@@ -2893,6 +2908,10 @@ AC_CONFIG_FILES([ + lib/ns/include/Makefile + lib/ns/include/ns/Makefile + lib/ns/tests/Makefile ++ lib/ns-pkcs11/Makefile ++ lib/ns-pkcs11/include/Makefile ++ lib/ns-pkcs11/include/ns/Makefile ++ lib/ns-pkcs11/tests/Makefile + make/Makefile + make/mkdep + unit/unittest.sh +diff --git a/lib/Makefile.in b/lib/Makefile.in +index 833964e..058ba2f 100644 +--- a/lib/Makefile.in ++++ b/lib/Makefile.in +@@ -15,7 +15,7 @@ top_srcdir = @top_srcdir@ + # Attempt to disable parallel processing. + .NOTPARALLEL: + .NO_PARALLEL: +-SUBDIRS = isc isccc dns ns isccfg bind9 irs ++SUBDIRS = isc isccc dns dns-pkcs11 ns ns-pkcs11 isccfg bind9 irs + TARGETS = + + @BIND9_MAKE_RULES@ +diff --git a/lib/dns-pkcs11/Makefile.in b/lib/dns-pkcs11/Makefile.in +index 58bda3c..d6a45df 100644 +--- a/lib/dns-pkcs11/Makefile.in ++++ b/lib/dns-pkcs11/Makefile.in +@@ -22,7 +22,7 @@ VERSION=@BIND9_VERSION@ + + @BIND9_MAKE_INCLUDES@ + +-CINCLUDES = -I. -I${top_srcdir}/lib/dns -Iinclude ${DNS_INCLUDES} \ ++CINCLUDES = -I. -I${top_srcdir}/lib/dns-pkcs11 -Iinclude ${DNS_PKCS11_INCLUDES} \ + ${ISC_INCLUDES} \ + ${FSTRM_CFLAGS} \ + ${OPENSSL_CFLAGS} @DST_GSSAPI_INC@ \ +@@ -32,7 +32,7 @@ CINCLUDES = -I. -I${top_srcdir}/lib/dns -Iinclude ${DNS_INCLUDES} \ + ${LMDB_CFLAGS} \ + ${MAXMINDDB_CFLAGS} + +-CDEFINES = @USE_GSSAPI@ ++CDEFINES = @USE_GSSAPI@ @USE_PKCS11@ + + CWARNINGS = + +@@ -135,15 +135,15 @@ version.@O@: version.c + -DMAPAPI=\"${MAPAPI}\" \ + -c ${srcdir}/version.c + +-libdns.@SA@: ${OBJS} ++libdns-pkcs11.@SA@: ${OBJS} + ${AR} ${ARFLAGS} $@ ${OBJS} + ${RANLIB} $@ + +-libdns.la: ${OBJS} ++libdns-pkcs11.la: ${OBJS} + ${LIBTOOL_MODE_LINK} \ +- ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libdns.la -rpath ${libdir} \ ++ ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libdns-pkcs11.la -rpath ${libdir} \ + -release "${VERSION}" \ +- ${OBJS} ${ISCLIBS} @DNS_CRYPTO_LIBS@ ${LIBS} ++ ${OBJS} ${ISCLIBS} @DNS_CRYPTO_PK11_LIBS@ ${LIBS} + + include: gen + ${MAKE} include/dns/enumtype.h +@@ -174,22 +174,22 @@ gen: gen.c + ${BUILD_CPPFLAGS} ${BUILD_LDFLAGS} -o $@ ${srcdir}/gen.c \ + ${BUILD_LIBS} ${LFS_LIBS} + +-timestamp: include libdns.@A@ ++timestamp: include libdns-pkcs11.@A@ + touch timestamp + +-testdirs: libdns.@A@ ++testdirs: libdns-pkcs11.@A@ + + installdirs: + $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${libdir} + + install:: timestamp installdirs +- ${LIBTOOL_MODE_INSTALL} ${INSTALL_LIBRARY} libdns.@A@ ${DESTDIR}${libdir} ++ ${LIBTOOL_MODE_INSTALL} ${INSTALL_LIBRARY} libdns-pkcs11.@A@ ${DESTDIR}${libdir} + + uninstall:: +- ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${libdir}/libdns.@A@ ++ ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${libdir}/libdns-pkcs11.@A@ + + clean distclean:: +- rm -f libdns.@A@ timestamp ++ rm -f libdns-pkcs11.@A@ timestamp + rm -f gen code.h include/dns/enumtype.h include/dns/enumclass.h + rm -f include/dns/rdatastruct.h + rm -f dnstap.pb-c.c dnstap.pb-c.h +diff --git a/lib/dns-pkcs11/tests/Makefile.in b/lib/dns-pkcs11/tests/Makefile.in +index 3bb5e01..c96fe7d 100644 +--- a/lib/dns-pkcs11/tests/Makefile.in ++++ b/lib/dns-pkcs11/tests/Makefile.in +@@ -15,15 +15,15 @@ VERSION=@BIND9_VERSION@ + + @BIND9_MAKE_INCLUDES@ + +-CINCLUDES = -I. -Iinclude ${DNS_INCLUDES} ${ISC_INCLUDES} \ ++CINCLUDES = -I. -Iinclude ${DNS_PKCS11_INCLUDES} ${ISC_INCLUDES} \ + ${FSTRM_CFLAGS} ${OPENSSL_CFLAGS} \ + ${PROTOBUF_C_CFLAGS} ${MAXMINDDB_CFLAGS} @CMOCKA_CFLAGS@ +-CDEFINES = -DTESTS="\"${top_builddir}/lib/dns/tests/\"" ++CDEFINES = @USE_PKCS11@ -DTESTS="\"${top_builddir}/lib/dns-pkcs11/tests/\"" + + ISCLIBS = ../../isc/libisc.@A@ @NO_LIBTOOL_ISCLIBS@ + ISCDEPLIBS = ../../isc/libisc.@A@ +-DNSLIBS = ../libdns.@A@ @NO_LIBTOOL_DNSLIBS@ +-DNSDEPLIBS = ../libdns.@A@ ++DNSLIBS = ../libdns-pkcs11.@A@ @NO_LIBTOOL_DNSLIBS@ ++DNSDEPLIBS = ../libdns-pkcs11.@A@ + + LIBS = @LIBS@ @CMOCKA_LIBS@ + +diff --git a/lib/ns-pkcs11/Makefile.in b/lib/ns-pkcs11/Makefile.in +index bc683ce..7a9d2f2 100644 +--- a/lib/ns-pkcs11/Makefile.in ++++ b/lib/ns-pkcs11/Makefile.in +@@ -16,12 +16,12 @@ VERSION=@BIND9_VERSION@ + + @BIND9_MAKE_INCLUDES@ + +-CINCLUDES = -I. -I${top_srcdir}/lib/ns -Iinclude \ +- ${NS_INCLUDES} ${DNS_INCLUDES} ${ISC_INCLUDES} \ ++CINCLUDES = -I. -I${top_srcdir}/lib/ns-pkcs11 -Iinclude \ ++ ${NS_PKCS11_INCLUDES} ${DNS_PKCS11_INCLUDES} ${ISC_INCLUDES} \ + ${OPENSSL_CFLAGS} @DST_GSSAPI_INC@ \ + ${FSTRM_CFLAGS} + +-CDEFINES = -DNAMED_PLUGINDIR=\"${plugindir}\" ++CDEFINES = @USE_PKCS11@ -DNAMED_PLUGINDIR=\"${plugindir}\" + + CWARNINGS = + +@@ -29,9 +29,9 @@ ISCLIBS = ../../lib/isc/libisc.@A@ + + ISCDEPLIBS = ../../lib/isc/libisc.@A@ + +-DNSLIBS = ../../lib/dns/libdns.@A@ @NO_LIBTOOL_DNSLIBS@ ++DNSLIBS = ../../lib/dns-pkcs11/libdns-pkcs11.@A@ @NO_LIBTOOL_DNSLIBS@ + +-DNSDEPLIBS = ../../lib/dns/libdns.@A@ ++DNSDEPLIBS = ../../lib/dns-pkcs11/libdns-pkcs11.@A@ + + LIBS = @LIBS@ + +@@ -60,28 +60,28 @@ version.@O@: version.c + -DMAJOR=\"${MAJOR}\" \ + -c ${srcdir}/version.c + +-libns.@SA@: ${OBJS} ++libns-pkcs11.@SA@: ${OBJS} + ${AR} ${ARFLAGS} $@ ${OBJS} + ${RANLIB} $@ + +-libns.la: ${OBJS} ++libns-pkcs11.la: ${OBJS} + ${LIBTOOL_MODE_LINK} \ +- ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libns.la -rpath ${libdir} \ ++ ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libns-pkcs11.la -rpath ${libdir} \ + -release "${VERSION}" \ +- ${OBJS} ${ISCLIBS} ${DNSLIBS} @DNS_CRYPTO_LIBS@ ${LIBS} ++ ${OBJS} ${ISCLIBS} ${DNSLIBS} @DNS_CRYPTO_PK11_LIBS@ ${LIBS} + +-timestamp: libns.@A@ ++timestamp: libns-pkcs11.@A@ + touch timestamp + + installdirs: + $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${libdir} + + install:: timestamp installdirs +- ${LIBTOOL_MODE_INSTALL} ${INSTALL_LIBRARY} libns.@A@ \ ++ ${LIBTOOL_MODE_INSTALL} ${INSTALL_LIBRARY} libns-pkcs11.@A@ \ + ${DESTDIR}${libdir} + + uninstall:: +- ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${libdir}/libns.@A@ ++ ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${libdir}/libns-pkcs11.@A@ + + clean distclean:: +- rm -f libns.@A@ timestamp ++ rm -f libns-pkcs11.@A@ timestamp +diff --git a/lib/ns-pkcs11/tests/Makefile.in b/lib/ns-pkcs11/tests/Makefile.in +index 4c3e694..c1b6d99 100644 +--- a/lib/ns-pkcs11/tests/Makefile.in ++++ b/lib/ns-pkcs11/tests/Makefile.in +@@ -17,17 +17,17 @@ VERSION=@BIND9_VERSION@ + + WRAP_OPTIONS = -Wl,--wrap=isc__nmhandle_detach -Wl,--wrap=isc__nmhandle_attach + +-CINCLUDES = -I. -Iinclude ${NS_INCLUDES} ${DNS_INCLUDES} ${ISC_INCLUDES} \ ++CINCLUDES = -I. -Iinclude ${NS_PKCS11_INCLUDES} ${DNS_PKCS11_INCLUDES} ${ISC_INCLUDES} \ + ${OPENSSL_CFLAGS} \ + @CMOCKA_CFLAGS@ +-CDEFINES = -DTESTS="\"${top_builddir}/lib/ns/tests/\"" -DNAMED_PLUGINDIR=\"${plugindir}\" ++CDEFINES = -DTESTS="\"${top_builddir}/lib/ns-pkcs11/tests/\"" -DNAMED_PLUGINDIR=\"${plugindir}\" @USE_PKCS11@ + + ISCLIBS = ../../isc/libisc.@A@ @NO_LIBTOOL_ISCLIBS@ + ISCDEPLIBS = ../../isc/libisc.@A@ +-DNSLIBS = ../../dns/libdns.@A@ @NO_LIBTOOL_DNSLIBS@ +-DNSDEPLIBS = ../../dns/libdns.@A@ +-NSLIBS = ../libns.@A@ +-NSDEPLIBS = ../libns.@A@ ++DNSLIBS = ../../dns-pkcs11/libdns-pkcs11.@A@ @NO_LIBTOOL_DNSLIBS@ ++DNSDEPLIBS = ../../dns-pkcs11/libdns-pkcs11.@A@ ++NSLIBS = ../libns-pkcs11.@A@ ++NSDEPLIBS = ../libns-pkcs11.@A@ + + LIBS = @LIBS@ @CMOCKA_LIBS@ + +diff --git a/make/includes.in b/make/includes.in +index b8317d3..b73b0c4 100644 +--- a/make/includes.in ++++ b/make/includes.in +@@ -39,3 +39,10 @@ BIND9_INCLUDES = @BIND9_BIND9_BUILDINCLUDE@ \ + + TEST_INCLUDES = \ + -I${top_srcdir}/lib/tests/include ++ ++DNS_PKCS11_INCLUDES = @BIND9_DNS_PKCS11_BUILDINCLUDE@ \ ++ -I${top_srcdir}/lib/dns-pkcs11/include ++ ++NS_PKCS11_INCLUDES = @BIND9_NS_PKCS11_BUILDINCLUDE@ \ ++ -I${top_srcdir}/lib/ns-pkcs11/include ++ +-- +2.26.3 + diff --git a/bind-9.11-feature-test-named.patch b/bind-9.11-feature-test-named.patch new file mode 100644 index 0000000..9af8d73 --- /dev/null +++ b/bind-9.11-feature-test-named.patch @@ -0,0 +1,59 @@ +From e645046202006750f87531e21e3ff7c26fba3466 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= +Date: Wed, 30 Jan 2019 14:37:17 +0100 +Subject: [PATCH] Create feature-test in source directory + +Feature-test tool is used in system tests to test compiled in changes. +Because we build more variants of named with different configuration, +compile feature-test for each of them this way. +--- + bin/named/Makefile.in | 12 +++++++++++- + bin/tests/system/conf.sh.in | 2 +- + 2 files changed, 12 insertions(+), 2 deletions(-) + +diff --git a/bin/named/Makefile.in b/bin/named/Makefile.in +index 37053a7..ed9add2 100644 +--- a/bin/named/Makefile.in ++++ b/bin/named/Makefile.in +@@ -91,7 +91,7 @@ NOSYMLIBS = ${NSLIBS} ${DNSLIBS} ${BIND9LIBS} \ + + SUBDIRS = unix + +-TARGETS = named@EXEEXT@ ++TARGETS = named@EXEEXT@ feature-test@EXEEXT@ + + GEOIP2LINKOBJS = geoip.@O@ + +@@ -154,6 +154,16 @@ named@EXEEXT@: ${OBJS} ${DEPLIBS} + export BASEOBJS="${OBJS} ${UOBJS}"; \ + ${FINALBUILDCMD} + ++# Bit of hack, do not produce intermediate .o object for featuretest ++feature-test.@O@: ${top_srcdir}/bin/tests/system/feature-test.c ++ ${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \ ++ -c ${top_srcdir}/bin/tests/system/feature-test.c ++ ++feature-test@EXEEXT@: feature-test.@O@ ++ ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} \ ++ -o $@ feature-test.@O@ ${ISCLIBS} ${LIBS} ++ ++ + clean distclean maintainer-clean:: + rm -f ${TARGETS} ${OBJS} + +diff --git a/bin/tests/system/conf.sh.in b/bin/tests/system/conf.sh.in +index 7934930..e84fde2 100644 +--- a/bin/tests/system/conf.sh.in ++++ b/bin/tests/system/conf.sh.in +@@ -37,7 +37,7 @@ DELV=$TOP/bin/delv/delv + DIG=$TOP/bin/dig/dig + DNSTAPREAD=$TOP/bin/tools/dnstap-read + DSFROMKEY=$TOP/bin/dnssec/dnssec-dsfromkey +-FEATURETEST=$TOP/bin/tests/system/feature-test ++FEATURETEST=$TOP/bin/named/feature-test + FSTRM_CAPTURE=@FSTRM_CAPTURE@ + HOST=$TOP/bin/dig/host + IMPORTKEY=$TOP/bin/dnssec/dnssec-importkey +-- +2.26.2 + diff --git a/bind-9.11-fips-tests.patch b/bind-9.11-fips-tests.patch new file mode 100644 index 0000000..51927a4 --- /dev/null +++ b/bind-9.11-fips-tests.patch @@ -0,0 +1,959 @@ +From 3f04cf343dbeb8819197702ce1be737e26e0638a Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= +Date: Thu, 2 Aug 2018 23:46:45 +0200 +Subject: [PATCH] FIPS tests changes +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Squashed commit of the following: + +commit 09e5eb48698d4fef2fc1031870de86c553b6bfaa +Author: Petr Menšík +Date: Wed Mar 7 20:35:13 2018 +0100 + + Fix nsupdate test. Do not use md5 by default for rndc, skip gracefully md5 if not available. + +commit ab303db70082db76ecf36493d0b82ef3e8750cad +Author: Petr Menšík +Date: Wed Mar 7 18:11:10 2018 +0100 + + Changed root key to be RSASHA256 + + Change bad trusted key to be the same algorithm. + +commit 88ab07c0e14cc71247e1f9d11a1ea832b64c1ee8 +Author: Petr Menšík +Date: Wed Mar 7 16:56:17 2018 +0100 + + Change used key to not use hmac-md5 + + Fix upforwd test, do not use hmac-md5 + +commit aec891571626f053acfb4d0a247240cbc21a84e9 +Author: Petr Menšík +Date: Wed Mar 7 15:54:11 2018 +0100 + + Increase bitsize of DSA key to pass FIPS 140-2 mode. + +commit bca8e164fa0d9aff2f946b8b4eb0f1f7e0bf6696 +Author: Petr Menšík +Date: Wed Mar 7 15:41:08 2018 +0100 + + Fix tsig and rndc tests for disabled md5 + + Use hmac-sha256 instead of hmac-md5. + +commit 0d314c1ab6151aa13574a21ad22f28d3b7f42a67 +Author: Petr Menšík +Date: Wed Mar 7 13:21:00 2018 +0100 + + Add md5 availability detection to featuretest + +commit f389a918803e2853e4b55fed62765dc4a492e34f +Author: Petr Menšík +Date: Wed Mar 7 10:44:23 2018 +0100 + + Change tests to not use hmac-md5 algorithms if not required + + Use hmac-sha256 instead of default hmac-md5 for allow-query +--- + bin/tests/system/acl/ns2/named1.conf.in | 4 +- + bin/tests/system/acl/ns2/named2.conf.in | 4 +- + bin/tests/system/acl/ns2/named3.conf.in | 6 +- + bin/tests/system/acl/ns2/named4.conf.in | 4 +- + bin/tests/system/acl/ns2/named5.conf.in | 4 +- + bin/tests/system/acl/tests.sh | 32 ++++----- + .../system/allow-query/ns2/named10.conf.in | 2 +- + .../system/allow-query/ns2/named11.conf.in | 4 +- + .../system/allow-query/ns2/named12.conf.in | 2 +- + .../system/allow-query/ns2/named30.conf.in | 2 +- + .../system/allow-query/ns2/named31.conf.in | 4 +- + .../system/allow-query/ns2/named32.conf.in | 2 +- + .../system/allow-query/ns2/named40.conf.in | 4 +- + bin/tests/system/allow-query/tests.sh | 18 ++--- + bin/tests/system/catz/ns1/named.conf.in | 2 +- + bin/tests/system/catz/ns2/named.conf.in | 2 +- + bin/tests/system/checkconf/bad-tsig.conf | 2 +- + bin/tests/system/checkconf/good.conf | 2 +- + bin/tests/system/feature-test.c | 14 ++++ + bin/tests/system/notify/ns5/named.conf.in | 6 +- + bin/tests/system/notify/tests.sh | 6 +- + bin/tests/system/nsupdate/ns1/named.conf.in | 2 +- + bin/tests/system/nsupdate/ns2/named.conf.in | 2 +- + bin/tests/system/nsupdate/setup.sh | 6 +- + bin/tests/system/nsupdate/tests.sh | 15 +++-- + bin/tests/system/rndc/setup.sh | 2 +- + bin/tests/system/rndc/tests.sh | 23 ++++--- + bin/tests/system/tsig/ns1/named.conf.in | 10 +-- + bin/tests/system/tsig/ns1/rndc5.conf.in | 10 +++ + bin/tests/system/tsig/setup.sh | 5 ++ + bin/tests/system/tsig/tests.sh | 65 ++++++++++++------- + bin/tests/system/upforwd/ns1/named.conf.in | 2 +- + bin/tests/system/upforwd/tests.sh | 2 +- + 33 files changed, 162 insertions(+), 108 deletions(-) + create mode 100644 bin/tests/system/tsig/ns1/rndc5.conf.in + +diff --git a/bin/tests/system/acl/ns2/named1.conf.in b/bin/tests/system/acl/ns2/named1.conf.in +index 60f22e1..249f672 100644 +--- a/bin/tests/system/acl/ns2/named1.conf.in ++++ b/bin/tests/system/acl/ns2/named1.conf.in +@@ -33,12 +33,12 @@ options { + }; + + key one { +- algorithm hmac-md5; ++ algorithm hmac-sha256; + secret "1234abcd8765"; + }; + + key two { +- algorithm hmac-md5; ++ algorithm hmac-sha256; + secret "1234abcd8765"; + }; + +diff --git a/bin/tests/system/acl/ns2/named2.conf.in b/bin/tests/system/acl/ns2/named2.conf.in +index ada97bc..f82d858 100644 +--- a/bin/tests/system/acl/ns2/named2.conf.in ++++ b/bin/tests/system/acl/ns2/named2.conf.in +@@ -33,12 +33,12 @@ options { + }; + + key one { +- algorithm hmac-md5; ++ algorithm hmac-sha256; + secret "1234abcd8765"; + }; + + key two { +- algorithm hmac-md5; ++ algorithm hmac-sha256; + secret "1234abcd8765"; + }; + +diff --git a/bin/tests/system/acl/ns2/named3.conf.in b/bin/tests/system/acl/ns2/named3.conf.in +index 97684e4..de6a2e9 100644 +--- a/bin/tests/system/acl/ns2/named3.conf.in ++++ b/bin/tests/system/acl/ns2/named3.conf.in +@@ -33,17 +33,17 @@ options { + }; + + key one { +- algorithm hmac-md5; ++ algorithm hmac-sha256; + secret "1234abcd8765"; + }; + + key two { +- algorithm hmac-md5; ++ algorithm hmac-sha256; + secret "1234abcd8765"; + }; + + key three { +- algorithm hmac-md5; ++ algorithm hmac-sha256; + secret "1234abcd8765"; + }; + +diff --git a/bin/tests/system/acl/ns2/named4.conf.in b/bin/tests/system/acl/ns2/named4.conf.in +index 462b3fa..994b35c 100644 +--- a/bin/tests/system/acl/ns2/named4.conf.in ++++ b/bin/tests/system/acl/ns2/named4.conf.in +@@ -33,12 +33,12 @@ options { + }; + + key one { +- algorithm hmac-md5; ++ algorithm hmac-sha256; + secret "1234abcd8765"; + }; + + key two { +- algorithm hmac-md5; ++ algorithm hmac-sha256; + secret "1234abcd8765"; + }; + +diff --git a/bin/tests/system/acl/ns2/named5.conf.in b/bin/tests/system/acl/ns2/named5.conf.in +index 728da58..8f00d09 100644 +--- a/bin/tests/system/acl/ns2/named5.conf.in ++++ b/bin/tests/system/acl/ns2/named5.conf.in +@@ -35,12 +35,12 @@ options { + }; + + key one { +- algorithm hmac-md5; ++ algorithm hmac-sha256; + secret "1234abcd8765"; + }; + + key two { +- algorithm hmac-md5; ++ algorithm hmac-sha256; + secret "1234abcd8765"; + }; + +diff --git a/bin/tests/system/acl/tests.sh b/bin/tests/system/acl/tests.sh +index be59d64..13d5bdc 100644 +--- a/bin/tests/system/acl/tests.sh ++++ b/bin/tests/system/acl/tests.sh +@@ -22,14 +22,14 @@ echo_i "testing basic ACL processing" + # key "one" should fail + t=`expr $t + 1` + $DIG $DIGOPTS tsigzone. \ +- @10.53.0.2 -b 10.53.0.1 axfr -y one:1234abcd8765 > dig.out.${t} ++ @10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t} + grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; } + + + # any other key should be fine + t=`expr $t + 1` + $DIG $DIGOPTS tsigzone. \ +- @10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 > dig.out.${t} ++ @10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:two:1234abcd8765 > dig.out.${t} + grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; } + + copy_setports ns2/named2.conf.in ns2/named.conf +@@ -39,18 +39,18 @@ sleep 5 + # prefix 10/8 should fail + t=`expr $t + 1` + $DIG $DIGOPTS tsigzone. \ +- @10.53.0.2 -b 10.53.0.1 axfr -y one:1234abcd8765 > dig.out.${t} ++ @10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t} + grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; } + + # any other address should work, as long as it sends key "one" + t=`expr $t + 1` + $DIG $DIGOPTS tsigzone. \ +- @10.53.0.2 -b 127.0.0.1 axfr -y two:1234abcd8765 > dig.out.${t} ++ @10.53.0.2 -b 127.0.0.1 axfr -y hmac-sha256:two:1234abcd8765 > dig.out.${t} + grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; } + + t=`expr $t + 1` + $DIG $DIGOPTS tsigzone. \ +- @10.53.0.2 -b 127.0.0.1 axfr -y one:1234abcd8765 > dig.out.${t} ++ @10.53.0.2 -b 127.0.0.1 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t} + grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; } + + echo_i "testing nested ACL processing" +@@ -62,31 +62,31 @@ sleep 5 + # should succeed + t=`expr $t + 1` + $DIG $DIGOPTS tsigzone. \ +- @10.53.0.2 -b 10.53.0.2 axfr -y two:1234abcd8765 > dig.out.${t} ++ @10.53.0.2 -b 10.53.0.2 axfr -y hmac-sha256:two:1234abcd8765 > dig.out.${t} + grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; } + + # should succeed + t=`expr $t + 1` + $DIG $DIGOPTS tsigzone. \ +- @10.53.0.2 -b 10.53.0.2 axfr -y one:1234abcd8765 > dig.out.${t} ++ @10.53.0.2 -b 10.53.0.2 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t} + grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; } + + # should succeed + t=`expr $t + 1` + $DIG $DIGOPTS tsigzone. \ +- @10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 > dig.out.${t} ++ @10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:two:1234abcd8765 > dig.out.${t} + grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; } + + # should succeed + t=`expr $t + 1` + $DIG $DIGOPTS tsigzone. \ +- @10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 > dig.out.${t} ++ @10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:two:1234abcd8765 > dig.out.${t} + grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; } + + # but only one or the other should fail + t=`expr $t + 1` + $DIG $DIGOPTS tsigzone. \ +- @10.53.0.2 -b 127.0.0.1 axfr -y one:1234abcd8765 > dig.out.${t} ++ @10.53.0.2 -b 127.0.0.1 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t} + grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; } + + t=`expr $t + 1` +@@ -97,7 +97,7 @@ grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $tt failed" ; status=1 + # and other values? right out + t=`expr $t + 1` + $DIG $DIGOPTS tsigzone. \ +- @10.53.0.2 -b 127.0.0.1 axfr -y three:1234abcd8765 > dig.out.${t} ++ @10.53.0.2 -b 127.0.0.1 axfr -y hmac-sha256:three:1234abcd8765 > dig.out.${t} + grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; } + + # now we only allow 10.53.0.1 *and* key one, or 10.53.0.2 *and* key two +@@ -108,31 +108,31 @@ sleep 5 + # should succeed + t=`expr $t + 1` + $DIG $DIGOPTS tsigzone. \ +- @10.53.0.2 -b 10.53.0.2 axfr -y two:1234abcd8765 > dig.out.${t} ++ @10.53.0.2 -b 10.53.0.2 axfr -y hmac-sha256:two:1234abcd8765 > dig.out.${t} + grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; } + + # should succeed + t=`expr $t + 1` + $DIG $DIGOPTS tsigzone. \ +- @10.53.0.2 -b 10.53.0.1 axfr -y one:1234abcd8765 > dig.out.${t} ++ @10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t} + grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; } + + # should fail + t=`expr $t + 1` + $DIG $DIGOPTS tsigzone. \ +- @10.53.0.2 -b 10.53.0.2 axfr -y one:1234abcd8765 > dig.out.${t} ++ @10.53.0.2 -b 10.53.0.2 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t} + grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; } + + # should fail + t=`expr $t + 1` + $DIG $DIGOPTS tsigzone. \ +- @10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 > dig.out.${t} ++ @10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:two:1234abcd8765 > dig.out.${t} + grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; } + + # should fail + t=`expr $t + 1` + $DIG $DIGOPTS tsigzone. \ +- @10.53.0.2 -b 10.53.0.3 axfr -y one:1234abcd8765 > dig.out.${t} ++ @10.53.0.2 -b 10.53.0.3 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t} + grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; } + + echo_i "testing allow-query-on ACL processing" +diff --git a/bin/tests/system/allow-query/ns2/named10.conf.in b/bin/tests/system/allow-query/ns2/named10.conf.in +index 7d43e36..f7b25f9 100644 +--- a/bin/tests/system/allow-query/ns2/named10.conf.in ++++ b/bin/tests/system/allow-query/ns2/named10.conf.in +@@ -10,7 +10,7 @@ + */ + + key one { +- algorithm hmac-md5; ++ algorithm hmac-sha256; + secret "1234abcd8765"; + }; + +diff --git a/bin/tests/system/allow-query/ns2/named11.conf.in b/bin/tests/system/allow-query/ns2/named11.conf.in +index 2952518..121557e 100644 +--- a/bin/tests/system/allow-query/ns2/named11.conf.in ++++ b/bin/tests/system/allow-query/ns2/named11.conf.in +@@ -10,12 +10,12 @@ + */ + + key one { +- algorithm hmac-md5; ++ algorithm hmac-sha256; + secret "1234abcd8765"; + }; + + key two { +- algorithm hmac-md5; ++ algorithm hmac-sha256; + secret "1234efgh8765"; + }; + +diff --git a/bin/tests/system/allow-query/ns2/named12.conf.in b/bin/tests/system/allow-query/ns2/named12.conf.in +index 0c01071..ceabbb5 100644 +--- a/bin/tests/system/allow-query/ns2/named12.conf.in ++++ b/bin/tests/system/allow-query/ns2/named12.conf.in +@@ -10,7 +10,7 @@ + */ + + key one { +- algorithm hmac-md5; ++ algorithm hmac-sha256; + secret "1234abcd8765"; + }; + +diff --git a/bin/tests/system/allow-query/ns2/named30.conf.in b/bin/tests/system/allow-query/ns2/named30.conf.in +index 4c17292..9cd9d1f 100644 +--- a/bin/tests/system/allow-query/ns2/named30.conf.in ++++ b/bin/tests/system/allow-query/ns2/named30.conf.in +@@ -10,7 +10,7 @@ + */ + + key one { +- algorithm hmac-md5; ++ algorithm hmac-sha256; + secret "1234abcd8765"; + }; + +diff --git a/bin/tests/system/allow-query/ns2/named31.conf.in b/bin/tests/system/allow-query/ns2/named31.conf.in +index a2690a4..f488730 100644 +--- a/bin/tests/system/allow-query/ns2/named31.conf.in ++++ b/bin/tests/system/allow-query/ns2/named31.conf.in +@@ -10,12 +10,12 @@ + */ + + key one { +- algorithm hmac-md5; ++ algorithm hmac-sha256; + secret "1234abcd8765"; + }; + + key two { +- algorithm hmac-md5; ++ algorithm hmac-sha256; + secret "1234efgh8765"; + }; + +diff --git a/bin/tests/system/allow-query/ns2/named32.conf.in b/bin/tests/system/allow-query/ns2/named32.conf.in +index a0708c8..51fa457 100644 +--- a/bin/tests/system/allow-query/ns2/named32.conf.in ++++ b/bin/tests/system/allow-query/ns2/named32.conf.in +@@ -10,7 +10,7 @@ + */ + + key one { +- algorithm hmac-md5; ++ algorithm hmac-sha256; + secret "1234abcd8765"; + }; + +diff --git a/bin/tests/system/allow-query/ns2/named40.conf.in b/bin/tests/system/allow-query/ns2/named40.conf.in +index 687768e..d24d6d2 100644 +--- a/bin/tests/system/allow-query/ns2/named40.conf.in ++++ b/bin/tests/system/allow-query/ns2/named40.conf.in +@@ -14,12 +14,12 @@ acl accept { 10.53.0.2; }; + acl badaccept { 10.53.0.1; }; + + key one { +- algorithm hmac-md5; ++ algorithm hmac-sha256; + secret "1234abcd8765"; + }; + + key two { +- algorithm hmac-md5; ++ algorithm hmac-sha256; + secret "1234efgh8765"; + }; + +diff --git a/bin/tests/system/allow-query/tests.sh b/bin/tests/system/allow-query/tests.sh +index fe40635..543c663 100644 +--- a/bin/tests/system/allow-query/tests.sh ++++ b/bin/tests/system/allow-query/tests.sh +@@ -182,7 +182,7 @@ rndc_reload ns2 10.53.0.2 + + echo_i "test $n: key allowed - query allowed" + ret=0 +-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1 ++$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1 + grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 + grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi +@@ -195,7 +195,7 @@ rndc_reload ns2 10.53.0.2 + + echo_i "test $n: key not allowed - query refused" + ret=0 +-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1 ++$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1 + grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 + grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi +@@ -208,7 +208,7 @@ rndc_reload ns2 10.53.0.2 + + echo_i "test $n: key disallowed - query refused" + ret=0 +-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1 ++$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1 + grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 + grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi +@@ -341,7 +341,7 @@ rndc_reload ns2 10.53.0.2 + + echo_i "test $n: views key allowed - query allowed" + ret=0 +-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1 ++$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1 + grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 + grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi +@@ -354,7 +354,7 @@ rndc_reload ns2 10.53.0.2 + + echo_i "test $n: views key not allowed - query refused" + ret=0 +-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1 ++$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1 + grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 + grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi +@@ -367,7 +367,7 @@ rndc_reload ns2 10.53.0.2 + + echo_i "test $n: views key disallowed - query refused" + ret=0 +-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1 ++$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1 + grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 + grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi +@@ -500,7 +500,7 @@ status=`expr $status + $ret` + n=`expr $n + 1` + echo_i "test $n: zone key allowed - query allowed" + ret=0 +-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.keyallow.example a > dig.out.ns2.$n || ret=1 ++$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.keyallow.example a > dig.out.ns2.$n || ret=1 + grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 + grep '^a.keyallow.example' dig.out.ns2.$n > /dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi +@@ -510,7 +510,7 @@ status=`expr $status + $ret` + n=`expr $n + 1` + echo_i "test $n: zone key not allowed - query refused" + ret=0 +-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.keyallow.example a > dig.out.ns2.$n || ret=1 ++$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:two:1234efgh8765 a.keyallow.example a > dig.out.ns2.$n || ret=1 + grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 + grep '^a.keyallow.example' dig.out.ns2.$n > /dev/null && ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi +@@ -520,7 +520,7 @@ status=`expr $status + $ret` + n=`expr $n + 1` + echo_i "test $n: zone key disallowed - query refused" + ret=0 +-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.keydisallow.example a > dig.out.ns2.$n || ret=1 ++$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.keydisallow.example a > dig.out.ns2.$n || ret=1 + grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 + grep '^a.keydisallow.example' dig.out.ns2.$n > /dev/null && ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi +diff --git a/bin/tests/system/catz/ns1/named.conf.in b/bin/tests/system/catz/ns1/named.conf.in +index 1218669..e62715e 100644 +--- a/bin/tests/system/catz/ns1/named.conf.in ++++ b/bin/tests/system/catz/ns1/named.conf.in +@@ -61,5 +61,5 @@ zone "catalog4.example" { + + key tsig_key. { + secret "LSAnCU+Z"; +- algorithm hmac-md5; ++ algorithm hmac-sha256; + }; +diff --git a/bin/tests/system/catz/ns2/named.conf.in b/bin/tests/system/catz/ns2/named.conf.in +index 30333e6..4005152 100644 +--- a/bin/tests/system/catz/ns2/named.conf.in ++++ b/bin/tests/system/catz/ns2/named.conf.in +@@ -70,5 +70,5 @@ zone "catalog4.example" { + + key tsig_key. { + secret "LSAnCU+Z"; +- algorithm hmac-md5; ++ algorithm hmac-sha256; + }; +diff --git a/bin/tests/system/checkconf/bad-tsig.conf b/bin/tests/system/checkconf/bad-tsig.conf +index 21be03e..e57c308 100644 +--- a/bin/tests/system/checkconf/bad-tsig.conf ++++ b/bin/tests/system/checkconf/bad-tsig.conf +@@ -11,7 +11,7 @@ + + /* Bad secret */ + key "badtsig" { +- algorithm hmac-md5; ++ algorithm hmac-sha256; + secret "jEdD+BPKg=="; + }; + +diff --git a/bin/tests/system/checkconf/good.conf b/bin/tests/system/checkconf/good.conf +index e09b9e8..2e824b3 100644 +--- a/bin/tests/system/checkconf/good.conf ++++ b/bin/tests/system/checkconf/good.conf +@@ -210,6 +210,6 @@ dyndb "name" "library.so" { + system; + }; + key "mykey" { +- algorithm "hmac-md5"; ++ algorithm "hmac-sha256"; + secret "qwertyuiopasdfgh"; + }; +diff --git a/bin/tests/system/feature-test.c b/bin/tests/system/feature-test.c +index 877504f..577660a 100644 +--- a/bin/tests/system/feature-test.c ++++ b/bin/tests/system/feature-test.c +@@ -14,6 +14,7 @@ + #include + #include + ++#include + #include + #include + #include +@@ -186,6 +187,19 @@ main(int argc, char **argv) { + #endif /* ifdef DLZ_FILESYSTEM */ + } + ++ if (strcmp(argv[1], "--md5") == 0) { ++ unsigned char digest[ISC_MAX_MD_SIZE]; ++ const unsigned char test[] = "test"; ++ unsigned int size = sizeof(digest); ++ ++ if (isc_md(ISC_MD_MD5, test, sizeof(test), ++ digest, &size) == ISC_R_SUCCESS) { ++ return (0); ++ } else { ++ return (1); ++ } ++ } ++ + if (strcmp(argv[1], "--with-idn") == 0) { + #ifdef HAVE_LIBIDN2 + return (0); +diff --git a/bin/tests/system/notify/ns5/named.conf.in b/bin/tests/system/notify/ns5/named.conf.in +index 1ee8df4..2b75d9a 100644 +--- a/bin/tests/system/notify/ns5/named.conf.in ++++ b/bin/tests/system/notify/ns5/named.conf.in +@@ -10,17 +10,17 @@ + */ + + key "a" { +- algorithm "hmac-md5"; ++ algorithm "hmac-sha256"; + secret "aaaaaaaaaaaaaaaaaaaa"; + }; + + key "b" { +- algorithm "hmac-md5"; ++ algorithm "hmac-sha256"; + secret "bbbbbbbbbbbbbbbbbbbb"; + }; + + key "c" { +- algorithm "hmac-md5"; ++ algorithm "hmac-sha256"; + secret "cccccccccccccccccccc"; + }; + +diff --git a/bin/tests/system/notify/tests.sh b/bin/tests/system/notify/tests.sh +index 3d7e0b7..ec4d9a7 100644 +--- a/bin/tests/system/notify/tests.sh ++++ b/bin/tests/system/notify/tests.sh +@@ -212,16 +212,16 @@ ret=0 + $NSUPDATE << EOF + server 10.53.0.5 ${PORT} + zone x21 +-key a aaaaaaaaaaaaaaaaaaaa ++key hmac-sha256:a aaaaaaaaaaaaaaaaaaaa + update add added.x21 0 in txt "test string" + send + EOF + + for i in 1 2 3 4 5 6 7 8 9 + do +- $DIG $DIGOPTS added.x21. -y b:bbbbbbbbbbbbbbbbbbbb @10.53.0.5 \ ++ $DIG $DIGOPTS added.x21. -y hmac-sha256:b:bbbbbbbbbbbbbbbbbbbb @10.53.0.5 \ + txt > dig.out.b.ns5.test$n || ret=1 +- $DIG $DIGOPTS added.x21. -y c:cccccccccccccccccccc @10.53.0.5 \ ++ $DIG $DIGOPTS added.x21. -y hmac-sha256:c:cccccccccccccccccccc @10.53.0.5 \ + txt > dig.out.c.ns5.test$n || ret=1 + grep "test string" dig.out.b.ns5.test$n > /dev/null && + grep "test string" dig.out.c.ns5.test$n > /dev/null && +diff --git a/bin/tests/system/nsupdate/ns1/named.conf.in b/bin/tests/system/nsupdate/ns1/named.conf.in +index b51e700..436c97d 100644 +--- a/bin/tests/system/nsupdate/ns1/named.conf.in ++++ b/bin/tests/system/nsupdate/ns1/named.conf.in +@@ -37,7 +37,7 @@ controls { + }; + + key altkey { +- algorithm hmac-md5; ++ algorithm hmac-sha512; + secret "1234abcd8765"; + }; + +diff --git a/bin/tests/system/nsupdate/ns2/named.conf.in b/bin/tests/system/nsupdate/ns2/named.conf.in +index da6b3b4..c547e47 100644 +--- a/bin/tests/system/nsupdate/ns2/named.conf.in ++++ b/bin/tests/system/nsupdate/ns2/named.conf.in +@@ -32,7 +32,7 @@ controls { + }; + + key altkey { +- algorithm hmac-md5; ++ algorithm hmac-sha512; + secret "1234abcd8765"; + }; + +diff --git a/bin/tests/system/nsupdate/setup.sh b/bin/tests/system/nsupdate/setup.sh +index c055da3..4e1242b 100644 +--- a/bin/tests/system/nsupdate/setup.sh ++++ b/bin/tests/system/nsupdate/setup.sh +@@ -56,7 +56,11 @@ EOF + + $DDNSCONFGEN -q -z example.nil > ns1/ddns.key + +-$DDNSCONFGEN -q -a hmac-md5 -k md5-key -z keytests.nil > ns1/md5.key ++if $FEATURETEST --md5; then ++ $DDNSCONFGEN -q -a hmac-md5 -k md5-key -z keytests.nil > ns1/md5.key ++else ++ echo -n > ns1/md5.key ++fi + $DDNSCONFGEN -q -a hmac-sha1 -k sha1-key -z keytests.nil > ns1/sha1.key + $DDNSCONFGEN -q -a hmac-sha224 -k sha224-key -z keytests.nil > ns1/sha224.key + $DDNSCONFGEN -q -a hmac-sha256 -k sha256-key -z keytests.nil > ns1/sha256.key +diff --git a/bin/tests/system/nsupdate/tests.sh b/bin/tests/system/nsupdate/tests.sh +index b35d797..41c128e 100755 +--- a/bin/tests/system/nsupdate/tests.sh ++++ b/bin/tests/system/nsupdate/tests.sh +@@ -797,7 +797,14 @@ fi + n=`expr $n + 1` + ret=0 + echo_i "check TSIG key algorithms (nsupdate -k) ($n)" +-for alg in md5 sha1 sha224 sha256 sha384 sha512; do ++if $FEATURETEST --md5 ++then ++ ALGS="md5 sha1 sha224 sha256 sha384 sha512" ++else ++ ALGS="sha1 sha224 sha256 sha384 sha512" ++ echo_i "skipping disabled md5 algorithm" ++fi ++for alg in $ALGS; do + $NSUPDATE -k ns1/${alg}.key < /dev/null || ret=1 + server 10.53.0.1 ${PORT} + update add ${alg}.keytests.nil. 600 A 10.10.10.3 +@@ -805,7 +812,7 @@ send + END + done + sleep 2 +-for alg in md5 sha1 sha224 sha256 sha384 sha512; do ++for alg in $ALGS; do + $DIG $DIGOPTS +short @10.53.0.1 ${alg}.keytests.nil | grep 10.10.10.3 > /dev/null 2>&1 || ret=1 + done + if [ $ret -ne 0 ]; then +@@ -816,7 +823,7 @@ fi + n=`expr $n + 1` + ret=0 + echo_i "check TSIG key algorithms (nsupdate -y) ($n)" +-for alg in md5 sha1 sha224 sha256 sha384 sha512; do ++for alg in $ALGS; do + secret=$(sed -n 's/.*secret "\(.*\)";.*/\1/p' ns1/${alg}.key) + $NSUPDATE -y "hmac-${alg}:${alg}-key:$secret" < /dev/null || ret=1 + server 10.53.0.1 ${PORT} +@@ -825,7 +832,7 @@ send + END + done + sleep 2 +-for alg in md5 sha1 sha224 sha256 sha384 sha512; do ++for alg in $ALGS; do + $DIG $DIGOPTS +short @10.53.0.1 ${alg}.keytests.nil | grep 10.10.10.50 > /dev/null 2>&1 || ret=1 + done + if [ $ret -ne 0 ]; then +diff --git a/bin/tests/system/rndc/setup.sh b/bin/tests/system/rndc/setup.sh +index b59e7a7..04d5f5a 100644 +--- a/bin/tests/system/rndc/setup.sh ++++ b/bin/tests/system/rndc/setup.sh +@@ -33,7 +33,7 @@ make_key () { + sed 's/allow { 10.53.0.4/allow { any/' >> ns4/named.conf + } + +-make_key 1 ${EXTRAPORT1} hmac-md5 ++$FEATURETEST --md5 && make_key 1 ${EXTRAPORT1} hmac-md5 + make_key 2 ${EXTRAPORT2} hmac-sha1 + make_key 3 ${EXTRAPORT3} hmac-sha224 + make_key 4 ${EXTRAPORT4} hmac-sha256 +diff --git a/bin/tests/system/rndc/tests.sh b/bin/tests/system/rndc/tests.sh +index 9fd84ed..d0b188f 100644 +--- a/bin/tests/system/rndc/tests.sh ++++ b/bin/tests/system/rndc/tests.sh +@@ -348,15 +348,20 @@ if [ $ret != 0 ]; then echo_i "failed"; fi + status=`expr $status + $ret` + + n=`expr $n + 1` +-echo_i "testing rndc with hmac-md5 ($n)" +-ret=0 +-$RNDC -s 10.53.0.4 -p ${EXTRAPORT1} -c ns4/key1.conf status > /dev/null 2>&1 || ret=1 +-for i in 2 3 4 5 6 +-do +- $RNDC -s 10.53.0.4 -p ${EXTRAPORT1} -c ns4/key${i}.conf status > /dev/null 2>&1 && ret=1 +-done +-if [ $ret != 0 ]; then echo_i "failed"; fi +-status=`expr $status + $ret` ++if $FEATURETEST --md5 ++then ++ echo_i "testing rndc with hmac-md5 ($n)" ++ ret=0 ++ $RNDC -s 10.53.0.4 -p ${EXTRAPORT1} -c ns4/key1.conf status > /dev/null 2>&1 || ret=1 ++ for i in 2 3 4 5 6 ++ do ++ $RNDC -s 10.53.0.4 -p ${EXTRAPORT1} -c ns4/key${i}.conf status > /dev/null 2>&1 && ret=1 ++ done ++ if [ $ret != 0 ]; then echo_i "failed"; fi ++ status=`expr $status + $ret` ++else ++ echo_i "skipping rndc with hmac-md5 ($n)" ++fi + + n=`expr $n + 1` + echo_i "testing rndc with hmac-sha1 ($n)" +diff --git a/bin/tests/system/tsig/ns1/named.conf.in b/bin/tests/system/tsig/ns1/named.conf.in +index 3470c4f..cf539cd 100644 +--- a/bin/tests/system/tsig/ns1/named.conf.in ++++ b/bin/tests/system/tsig/ns1/named.conf.in +@@ -21,10 +21,7 @@ options { + notify no; + }; + +-key "md5" { +- secret "97rnFx24Tfna4mHPfgnerA=="; +- algorithm hmac-md5; +-}; ++# md5 key appended by setup.sh at the end + + key "sha1" { + secret "FrSt77yPTFx6hTs4i2tKLB9LmE0="; +@@ -51,10 +48,7 @@ key "sha512" { + algorithm hmac-sha512; + }; + +-key "md5-trunc" { +- secret "97rnFx24Tfna4mHPfgnerA=="; +- algorithm hmac-md5-80; +-}; ++# md5-trunc key appended by setup.sh at the end + + key "sha1-trunc" { + secret "FrSt77yPTFx6hTs4i2tKLB9LmE0="; +diff --git a/bin/tests/system/tsig/ns1/rndc5.conf.in b/bin/tests/system/tsig/ns1/rndc5.conf.in +new file mode 100644 +index 0000000..0682194 +--- /dev/null ++++ b/bin/tests/system/tsig/ns1/rndc5.conf.in +@@ -0,0 +1,10 @@ ++# Conditionally included when support for MD5 is available ++key "md5" { ++ secret "97rnFx24Tfna4mHPfgnerA=="; ++ algorithm hmac-md5; ++}; ++ ++key "md5-trunc" { ++ secret "97rnFx24Tfna4mHPfgnerA=="; ++ algorithm hmac-md5-80; ++}; +diff --git a/bin/tests/system/tsig/setup.sh b/bin/tests/system/tsig/setup.sh +index e3b4a45..ae21d04 100644 +--- a/bin/tests/system/tsig/setup.sh ++++ b/bin/tests/system/tsig/setup.sh +@@ -15,3 +15,8 @@ SYSTEMTESTTOP=.. + $SHELL clean.sh + + copy_setports ns1/named.conf.in ns1/named.conf ++ ++if $FEATURETEST --md5 ++then ++ cat ns1/rndc5.conf.in >> ns1/named.conf ++fi +diff --git a/bin/tests/system/tsig/tests.sh b/bin/tests/system/tsig/tests.sh +index 38d842a..668aa6f 100644 +--- a/bin/tests/system/tsig/tests.sh ++++ b/bin/tests/system/tsig/tests.sh +@@ -26,20 +26,25 @@ sha512="jI/Pa4qRu96t76Pns5Z/Ndxbn3QCkwcxLOgt9vgvnJw5wqTRvNyk3FtD6yIMd1dWVlqZ+Y4f + + status=0 + +-echo_i "fetching using hmac-md5 (old form)" +-ret=0 +-$DIG $DIGOPTS example.nil. -y "md5:$md5" @10.53.0.1 soa > dig.out.md5.old || ret=1 +-grep -i "md5.*TSIG.*NOERROR" dig.out.md5.old > /dev/null || ret=1 +-if [ $ret -eq 1 ] ; then +- echo_i "failed"; status=1 +-fi ++if $FEATURETEST --md5 ++then ++ echo_i "fetching using hmac-md5 (old form)" ++ ret=0 ++ $DIG $DIGOPTS example.nil. -y "md5:$md5" @10.53.0.1 soa > dig.out.md5.old || ret=1 ++ grep -i "md5.*TSIG.*NOERROR" dig.out.md5.old > /dev/null || ret=1 ++ if [ $ret -eq 1 ] ; then ++ echo_i "failed"; status=1 ++ fi + +-echo_i "fetching using hmac-md5 (new form)" +-ret=0 +-$DIG $DIGOPTS example.nil. -y "hmac-md5:md5:$md5" @10.53.0.1 soa > dig.out.md5.new || ret=1 +-grep -i "md5.*TSIG.*NOERROR" dig.out.md5.new > /dev/null || ret=1 +-if [ $ret -eq 1 ] ; then +- echo_i "failed"; status=1 ++ echo_i "fetching using hmac-md5 (new form)" ++ ret=0 ++ $DIG $DIGOPTS example.nil. -y "hmac-md5:md5:$md5" @10.53.0.1 soa > dig.out.md5.new || ret=1 ++ grep -i "md5.*TSIG.*NOERROR" dig.out.md5.new > /dev/null || ret=1 ++ if [ $ret -eq 1 ] ; then ++ echo_i "failed"; status=1 ++ fi ++else ++ echo_i "skipping using hmac-md5" + fi + + echo_i "fetching using hmac-sha1" +@@ -87,12 +92,17 @@ fi + # Truncated TSIG + # + # +-echo_i "fetching using hmac-md5 (trunc)" +-ret=0 +-$DIG $DIGOPTS example.nil. -y "hmac-md5-80:md5-trunc:$md5" @10.53.0.1 soa > dig.out.md5.trunc || ret=1 +-grep -i "md5-trunc.*TSIG.*NOERROR" dig.out.md5.trunc > /dev/null || ret=1 +-if [ $ret -eq 1 ] ; then +- echo_i "failed"; status=1 ++if $FEATURETEST --md5 ++then ++ echo_i "fetching using hmac-md5 (trunc)" ++ ret=0 ++ $DIG $DIGOPTS example.nil. -y "hmac-md5-80:md5-trunc:$md5" @10.53.0.1 soa > dig.out.md5.trunc || ret=1 ++ grep -i "md5-trunc.*TSIG.*NOERROR" dig.out.md5.trunc > /dev/null || ret=1 ++ if [ $ret -eq 1 ] ; then ++ echo_i "failed"; status=1 ++ fi ++else ++ echo_i "skipping using hmac-md5 (trunc)" + fi + + echo_i "fetching using hmac-sha1 (trunc)" +@@ -141,12 +151,17 @@ fi + # Check for bad truncation. + # + # +-echo_i "fetching using hmac-md5-80 (BADTRUNC)" +-ret=0 +-$DIG $DIGOPTS example.nil. -y "hmac-md5-80:md5:$md5" @10.53.0.1 soa > dig.out.md5-80 || ret=1 +-grep -i "md5.*TSIG.*BADTRUNC" dig.out.md5-80 > /dev/null || ret=1 +-if [ $ret -eq 1 ] ; then +- echo_i "failed"; status=1 ++if $FEATURETEST --md5 ++then ++ echo_i "fetching using hmac-md5-80 (BADTRUNC)" ++ ret=0 ++ $DIG $DIGOPTS example.nil. -y "hmac-md5-80:md5:$md5" @10.53.0.1 soa > dig.out.md5-80 || ret=1 ++ grep -i "md5.*TSIG.*BADTRUNC" dig.out.md5-80 > /dev/null || ret=1 ++ if [ $ret -eq 1 ] ; then ++ echo_i "failed"; status=1 ++ fi ++else ++ echo_i "skipping using hmac-md5-80 (BADTRUNC)" + fi + + echo_i "fetching using hmac-sha1-80 (BADTRUNC)" +diff --git a/bin/tests/system/upforwd/ns1/named.conf.in b/bin/tests/system/upforwd/ns1/named.conf.in +index 3873c7c..b359a5a 100644 +--- a/bin/tests/system/upforwd/ns1/named.conf.in ++++ b/bin/tests/system/upforwd/ns1/named.conf.in +@@ -10,7 +10,7 @@ + */ + + key "update.example." { +- algorithm "hmac-md5"; ++ algorithm "hmac-sha256"; + secret "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K"; + }; + +diff --git a/bin/tests/system/upforwd/tests.sh b/bin/tests/system/upforwd/tests.sh +index a50c896..8062d68 100644 +--- a/bin/tests/system/upforwd/tests.sh ++++ b/bin/tests/system/upforwd/tests.sh +@@ -79,7 +79,7 @@ if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi + + echo_i "updating zone (signed) ($n)" + ret=0 +-$NSUPDATE -y update.example:c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K -- - < +Date: Tue, 2 Jan 2018 18:13:07 +0100 +Subject: [PATCH] Fix pkcs11 variants atf tests + +Add dns-pkcs11 tests Makefile to configure + +Add pkcs11 Kyuafile, fix dh_test to pass in pkcs11 mode +--- + configure.ac | 1 + + lib/Kyuafile | 2 ++ + lib/dns-pkcs11/tests/dh_test.c | 3 ++- + 3 files changed, 5 insertions(+), 1 deletion(-) + +diff --git a/configure.ac b/configure.ac +index d80ae31..0fb9328 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -3090,6 +3090,7 @@ AC_CONFIG_FILES([ + lib/dns-pkcs11/include/Makefile + lib/dns-pkcs11/include/dns/Makefile + lib/dns-pkcs11/include/dst/Makefile ++ lib/dns-pkcs11/tests/Makefile + lib/irs/Makefile + lib/irs/include/Makefile + lib/irs/include/irs/Makefile +diff --git a/lib/Kyuafile b/lib/Kyuafile +index 39ce986..037e5ef 100644 +--- a/lib/Kyuafile ++++ b/lib/Kyuafile +@@ -2,8 +2,10 @@ syntax(2) + test_suite('bind9') + + include('dns/Kyuafile') ++include('dns-pkcs11/Kyuafile') + include('irs/Kyuafile') + include('isc/Kyuafile') + include('isccc/Kyuafile') + include('isccfg/Kyuafile') + include('ns/Kyuafile') ++include('ns-pkcs11/Kyuafile') +diff --git a/lib/dns-pkcs11/tests/dh_test.c b/lib/dns-pkcs11/tests/dh_test.c +index 934e8fd..658d1af 100644 +--- a/lib/dns-pkcs11/tests/dh_test.c ++++ b/lib/dns-pkcs11/tests/dh_test.c +@@ -87,7 +87,8 @@ dh_computesecret(void **state) { + result = dst_key_computesecret(key, key, &buf); + assert_int_equal(result, DST_R_NOTPRIVATEKEY); + result = key->func->computesecret(key, key, &buf); +- assert_int_equal(result, DST_R_COMPUTESECRETFAILURE); ++ /* PKCS11 variant gives different result, accept both */ ++ assert_true(result == DST_R_COMPUTESECRETFAILURE || result == DST_R_INVALIDPRIVATEKEY); + + dst_key_free(&key); + } +-- +2.20.1 + diff --git a/bind-9.11-rh1666814.patch b/bind-9.11-rh1666814.patch new file mode 100644 index 0000000..7429999 --- /dev/null +++ b/bind-9.11-rh1666814.patch @@ -0,0 +1,29 @@ +From 0f03071080e7fa68433b322359d46abaca2cc5ad Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= +Date: Wed, 16 Jan 2019 16:27:33 +0100 +Subject: [PATCH] Fix possible crash when loading corrupted file + +Some values passes internal triggers by coincidence. Fix the check and +check also first_node_offset before even passing it further. +--- + lib/dns/rbt.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/lib/dns/rbt.c b/lib/dns/rbt.c +index 5aee5f6..7f2c2d2 100644 +--- a/lib/dns/rbt.c ++++ b/lib/dns/rbt.c +@@ -945,7 +945,9 @@ dns_rbt_deserialize_tree(void *base_address, size_t filesize, + rbt->root = (dns_rbtnode_t *)((char *)base_address + header_offset + + header->first_node_offset); + +- if ((header->nodecount * sizeof(dns_rbtnode_t)) > filesize) { ++ if ((header->nodecount * sizeof(dns_rbtnode_t)) > filesize ++ || header->first_node_offset > filesize) { ++ + result = ISC_R_INVALIDFILE; + goto cleanup; + } +-- +2.31.1 + diff --git a/bind-9.11-tests-variants.patch b/bind-9.11-tests-variants.patch new file mode 100644 index 0000000..807a4a0 --- /dev/null +++ b/bind-9.11-tests-variants.patch @@ -0,0 +1,65 @@ +From 607cec78382b016aad0fe041f2e1895b6896c647 Mon Sep 17 00:00:00 2001 +From: Petr Mensik +Date: Fri, 1 Mar 2019 15:48:20 +0100 +Subject: [PATCH] Make alternative named builds testable in system tests + +Red Hat has alternative variant builds of named, which are not ever +tested by system tests. New variables make it relatively easy to test +alternative variants. + +For sdb variant use: +export NAMED_VARIANT=-sdb DNSSEC_VARIANT= + +For pkcs variant use: +export NAMED_VARIANT=-pkcs11 DNSSEC_VARIANT=-pkcs11 +--- + bin/tests/system/conf.sh.in | 18 +++++++++--------- + 1 file changed, 9 insertions(+), 9 deletions(-) + +diff --git a/bin/tests/system/conf.sh.in b/bin/tests/system/conf.sh.in +index d859909..9152f07 100644 +--- a/bin/tests/system/conf.sh.in ++++ b/bin/tests/system/conf.sh.in +@@ -37,17 +37,17 @@ DDNSCONFGEN=$TOP/bin/confgen/ddns-confgen + DELV=$TOP/bin/delv/delv + DIG=$TOP/bin/dig/dig + DNSTAPREAD=$TOP/bin/tools/dnstap-read +-DSFROMKEY=$TOP/bin/dnssec/dnssec-dsfromkey +-FEATURETEST=$TOP/bin/named/feature-test ++DSFROMKEY=$TOP/bin/dnssec${DNSSEC_VARIANT}/dnssec-dsfromkey${DNSSEC_VARIANT} ++FEATURETEST=$TOP/bin/named${NAMED_VARIANT}/feature-test${NAMED_VARIANT} + FSTRM_CAPTURE=@FSTRM_CAPTURE@ + HOST=$TOP/bin/dig/host +-IMPORTKEY=$TOP/bin/dnssec/dnssec-importkey ++IMPORTKEY=$TOP/bin/dnssec${DNSSEC_VARIANT}/dnssec-importkey${DNSSEC_VARIANT} + JOURNALPRINT=$TOP/bin/tools/named-journalprint +-KEYFRLAB=$TOP/bin/dnssec/dnssec-keyfromlabel +-KEYGEN=$TOP/bin/dnssec/dnssec-keygen ++KEYFRLAB=$TOP/bin/dnssec${DNSSEC_VARIANT}/dnssec-keyfromlabel${DNSSEC_VARIANT} ++KEYGEN=$TOP/bin/dnssec${DNSSEC_VARIANT}/dnssec-keygen${DNSSEC_VARIANT} + KEYMGR=$TOP/bin/python/dnssec-keymgr + MDIG=$TOP/bin/tools/mdig +-NAMED=$TOP/bin/named/named ++NAMED=$TOP/bin/named${NAMED_VARIANT}/named${NAMED_VARIANT} + NSEC3HASH=$TOP/bin/tools/nsec3hash + NSLOOKUP=$TOP/bin/dig/nslookup + NSUPDATE=$TOP/bin/nsupdate/nsupdate +@@ -56,12 +56,12 @@ PK11DEL="$TOP/bin/pkcs11/pkcs11-destroy -s ${SLOT:-0} -p ${HSMPIN:-1234} -w 0" + PK11GEN="$TOP/bin/pkcs11/pkcs11-keygen -q -s ${SLOT:-0} -p ${HSMPIN:-1234}" + PK11LIST="$TOP/bin/pkcs11/pkcs11-list -s ${SLOT:-0} -p ${HSMPIN:-1234}" + RESOLVE=$TOP/bin/tests/system/resolve +-REVOKE=$TOP/bin/dnssec/dnssec-revoke ++REVOKE=$TOP/bin/dnssec${DNSSEC_VARIANT}/dnssec-revoke${DNSSEC_VARIANT} + RNDC=$TOP/bin/rndc/rndc + RNDCCONFGEN=$TOP/bin/confgen/rndc-confgen + RRCHECKER=$TOP/bin/tools/named-rrchecker +-SETTIME=$TOP/bin/dnssec/dnssec-settime +-SIGNER=$TOP/bin/dnssec/dnssec-signzone ++SETTIME=$TOP/bin/dnssec${DNSSEC_VARIANT}/dnssec-settime${DNSSEC_VARIANT} ++SIGNER=$TOP/bin/dnssec${DNSSEC_VARIANT}/dnssec-signzone${DNSSEC_VARIANT} + TSIGKEYGEN=$TOP/bin/confgen/tsig-keygen + VERIFY=$TOP/bin/dnssec/dnssec-verify + WIRETEST=$TOP/bin/tests/wire_test +-- +2.26.3 + diff --git a/bind-9.14-config-pkcs11.patch b/bind-9.14-config-pkcs11.patch new file mode 100644 index 0000000..0d62df6 --- /dev/null +++ b/bind-9.14-config-pkcs11.patch @@ -0,0 +1,83 @@ +From e6ab9c67f0a14adc23c1067e03a106da1b1651b7 Mon Sep 17 00:00:00 2001 +From: Petr Mensik +Date: Fri, 18 Oct 2019 21:30:52 +0200 +Subject: [PATCH] Move USE_PKCS11 and USE_OPENSSL out of config.h + +Building two variants with the same common code requires to unset +USE_PKCS11 on part of build. That is not possible with config.h value. +Move it as normal define to CDEFINES. +--- + bin/confgen/Makefile.in | 2 +- + configure.ac | 8 ++++++-- + lib/dns/dst_internal.h | 12 +++++++++--- + 3 files changed, 16 insertions(+), 6 deletions(-) + +diff --git a/bin/confgen/Makefile.in b/bin/confgen/Makefile.in +index 1b7512d..c126bf3 100644 +--- a/bin/confgen/Makefile.in ++++ b/bin/confgen/Makefile.in +@@ -22,7 +22,7 @@ VERSION=@BIND9_VERSION@ + CINCLUDES = -I${srcdir}/include ${ISC_INCLUDES} ${ISCCC_INCLUDES} \ + ${ISCCFG_INCLUDES} ${DNS_INCLUDES} ${BIND9_INCLUDES} + +-CDEFINES = ++CDEFINES = @USE_PKCS11@ + CWARNINGS = + + ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@ +diff --git a/configure.ac b/configure.ac +index f5483fe..08a7d8a 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -935,10 +935,14 @@ AC_SUBST([PKCS11_TEST]) + AC_SUBST([PKCS11_TOOLS]) + AC_SUBST([PKCS11_MANS]) + ++USE_PKCS11='-DUSE_PKCS11=0' ++USE_OPENSSL='-DUSE_OPENSSL=0' + AC_SUBST([CRYPTO]) + AS_CASE([$CRYPTO], +- [pkcs11],[AC_DEFINE([USE_PKCS11], [1], [define if PKCS11 is used for Public-Key Cryptography])], +- [AC_DEFINE([USE_OPENSSL], [1], [define if OpenSSL is used for Public-Key Cryptography])]) ++ [pkcs11],[USE_PKCS11='-DUSE_PKCS11=1'], ++ [USE_OPENSSL='-DUSE_OPENSSL=1']) ++AC_SUBST(USE_PKCS11) ++AC_SUBST(USE_OPENSSL) + + # preparation for automake + # AM_CONDITIONAL([PKCS11_TOOLS], [test "$with_native_pkcs11" = "yes"]) +diff --git a/lib/dns/dst_internal.h b/lib/dns/dst_internal.h +index 2c3b4a3..55e9dc4 100644 +--- a/lib/dns/dst_internal.h ++++ b/lib/dns/dst_internal.h +@@ -38,6 +38,13 @@ + #include + #include + ++#ifndef USE_PKCS11 ++#define USE_PKCS11 0 ++#endif ++#ifndef USE_OPENSSL ++#define USE_OPENSSL (! USE_PKCS11) ++#endif ++ + #if USE_PKCS11 + #include + #include +@@ -116,11 +123,10 @@ struct dst_key { + void *generic; + dns_gss_ctx_id_t gssctx; + DH *dh; +-#if USE_OPENSSL +- EVP_PKEY *pkey; +-#endif /* if USE_OPENSSL */ + #if USE_PKCS11 + pk11_object_t *pkey; ++#else ++ EVP_PKEY *pkey; + #endif /* if USE_PKCS11 */ + dst_hmac_key_t *hmac_key; + } keydata; /*%< pointer to key in crypto pkg fmt */ +-- +2.26.2 + diff --git a/bind-9.16-CVE-2021-25220-test.patch b/bind-9.16-CVE-2021-25220-test.patch new file mode 100644 index 0000000..150aa87 --- /dev/null +++ b/bind-9.16-CVE-2021-25220-test.patch @@ -0,0 +1,1144 @@ +From bd8fdeb2d1ece6db6dfe9fdc024f3a81440c1c0c Mon Sep 17 00:00:00 2001 +From: Mark Andrews +Date: Tue, 18 Jan 2022 00:19:47 +1100 +Subject: [PATCH] Add tests for forwarder cache poisoning scenarios + +- Check that an NS in an authority section returned from a forwarder + which is above the name in a configured "forward first" or "forward + only" zone (i.e., net/NS in a response from a forwarder configured for + local.net) is not cached. +- Test that a DNAME for a parent domain will not be cached when sent + in a response from a forwarder configured to answer for a child. +- Check that glue is rejected if its name falls below that of zone + configured locally. +- Check that an extra out-of-bailiwick data in the answer section is + not cached (this was already working correctly, but was not explicitly + tested before). + +(cherry picked from commit bf3fffff67e1de78e9387a93674d471bf4291604) +(cherry picked from commit 59d1eb3ff810145c8098a0a4fbf93ef4380ad739) +--- + bin/tests/system/forward/ans11/ans.py | 136 ++++++++++++++++++ + bin/tests/system/forward/clean.sh | 2 + + bin/tests/system/forward/ns1/diditwork.net.db | 22 +++ + bin/tests/system/forward/ns1/named.conf.in | 20 +++ + bin/tests/system/forward/ns1/net.example.lll | 15 ++ + bin/tests/system/forward/ns1/spoofed.net.db | 22 +++ + bin/tests/system/forward/ns1/sub.local.net.db | 22 +++ + bin/tests/system/forward/ns10/fakenet.zone | 17 +++ + bin/tests/system/forward/ns10/fakenet2.zone | 15 ++ + .../system/forward/ns10/fakesublocalnet.zone | 15 ++ + .../system/forward/ns10/fakesublocaltld.zone | 15 ++ + bin/tests/system/forward/ns10/named.conf.in | 53 +++++++ + bin/tests/system/forward/ns10/net.example.lll | 15 ++ + bin/tests/system/forward/ns10/spoofednet.zone | 16 +++ + bin/tests/system/forward/ns2/tld.db | 6 + + bin/tests/system/forward/ns4/named.conf.in | 5 + + bin/tests/system/forward/ns4/sibling.tld.db | 22 +++ + bin/tests/system/forward/ns8/named.conf.in | 5 + + bin/tests/system/forward/ns8/sub.local.tld.db | 15 ++ + bin/tests/system/forward/ns9/local.net.db | 16 +++ + bin/tests/system/forward/ns9/local.tld.db | 15 ++ + bin/tests/system/forward/ns9/named1.conf.in | 67 +++++++++ + bin/tests/system/forward/ns9/named2.conf.in | 70 +++++++++ + bin/tests/system/forward/ns9/named3.conf.in | 50 +++++++ + bin/tests/system/forward/ns9/named4.conf.in | 47 ++++++ + bin/tests/system/forward/ns9/root.db | 13 ++ + bin/tests/system/forward/setup.sh | 2 + + bin/tests/system/forward/tests.sh | 122 ++++++++++++++++ + bin/tests/system/ifconfig.sh | 8 +- + 29 files changed, 844 insertions(+), 4 deletions(-) + create mode 100644 bin/tests/system/forward/ans11/ans.py + create mode 100644 bin/tests/system/forward/ns1/diditwork.net.db + create mode 100644 bin/tests/system/forward/ns1/net.example.lll + create mode 100644 bin/tests/system/forward/ns1/spoofed.net.db + create mode 100644 bin/tests/system/forward/ns1/sub.local.net.db + create mode 100644 bin/tests/system/forward/ns10/fakenet.zone + create mode 100644 bin/tests/system/forward/ns10/fakenet2.zone + create mode 100644 bin/tests/system/forward/ns10/fakesublocalnet.zone + create mode 100644 bin/tests/system/forward/ns10/fakesublocaltld.zone + create mode 100644 bin/tests/system/forward/ns10/named.conf.in + create mode 100644 bin/tests/system/forward/ns10/net.example.lll + create mode 100644 bin/tests/system/forward/ns10/spoofednet.zone + create mode 100644 bin/tests/system/forward/ns4/sibling.tld.db + create mode 100644 bin/tests/system/forward/ns8/sub.local.tld.db + create mode 100644 bin/tests/system/forward/ns9/local.net.db + create mode 100644 bin/tests/system/forward/ns9/local.tld.db + create mode 100644 bin/tests/system/forward/ns9/named1.conf.in + create mode 100644 bin/tests/system/forward/ns9/named2.conf.in + create mode 100644 bin/tests/system/forward/ns9/named3.conf.in + create mode 100644 bin/tests/system/forward/ns9/named4.conf.in + create mode 100644 bin/tests/system/forward/ns9/root.db + +diff --git a/bin/tests/system/forward/ans11/ans.py b/bin/tests/system/forward/ans11/ans.py +new file mode 100644 +index 0000000000..1d35b3d3f1 +--- /dev/null ++++ b/bin/tests/system/forward/ans11/ans.py +@@ -0,0 +1,136 @@ ++# Copyright (C) Internet Systems Consortium, Inc. ("ISC") ++# ++# SPDX-License-Identifier: MPL-2.0 ++# ++# This Source Code Form is subject to the terms of the Mozilla Public ++# License, v. 2.0. If a copy of the MPL was not distributed with this ++# file, you can obtain one at https://mozilla.org/MPL/2.0/. ++# ++# See the COPYRIGHT file distributed with this work for additional ++# information regarding copyright ownership. ++ ++from __future__ import print_function ++import os ++import sys ++import signal ++import socket ++import select ++from datetime import datetime, timedelta ++import time ++import functools ++ ++import dns, dns.message, dns.query, dns.flags ++from dns.rdatatype import * ++from dns.rdataclass import * ++from dns.rcode import * ++from dns.name import * ++ ++# Log query to file ++def logquery(type, qname): ++ with open("qlog", "a") as f: ++ f.write("%s %s\n", type, qname) ++ ++############################################################################ ++# Respond to a DNS query. ++############################################################################ ++def create_response(msg): ++ m = dns.message.from_wire(msg) ++ qname = m.question[0].name.to_text() ++ rrtype = m.question[0].rdtype ++ typename = dns.rdatatype.to_text(rrtype) ++ ++ with open("query.log", "a") as f: ++ f.write("%s %s\n" % (typename, qname)) ++ print("%s %s" % (typename, qname), end=" ") ++ ++ r = dns.message.make_response(m) ++ r.set_rcode(NOERROR) ++ if rrtype == A: ++ tld=qname.split('.')[-2] + '.' ++ ns="local." + tld ++ r.answer.append(dns.rrset.from_text(qname, 300, IN, A, "10.53.0.11")) ++ r.answer.append(dns.rrset.from_text(tld, 300, IN, NS, "local." + tld)) ++ r.additional.append(dns.rrset.from_text(ns, 300, IN, A, "10.53.0.11")) ++ elif rrtype == NS: ++ r.answer.append(dns.rrset.from_text(qname, 300, IN, NS, ".")) ++ elif rrtype == SOA: ++ r.answer.append(dns.rrset.from_text(qname, 300, IN, SOA, ". . 0 0 0 0 0")) ++ else: ++ r.authority.append(dns.rrset.from_text(qname, 300, IN, SOA, ". . 0 0 0 0 0")) ++ r.flags |= dns.flags.AA ++ return r ++ ++def sigterm(signum, frame): ++ print ("Shutting down now...") ++ os.remove('ans.pid') ++ running = False ++ sys.exit(0) ++ ++############################################################################ ++# Main ++# ++# Set up responder and control channel, open the pid file, and start ++# the main loop, listening for queries on the query channel or commands ++# on the control channel and acting on them. ++############################################################################ ++ip4 = "10.53.0.11" ++ip6 = "fd92:7065:b8e:ffff::11" ++ ++try: port=int(os.environ['PORT']) ++except: port=5300 ++ ++query4_socket = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) ++query4_socket.bind((ip4, port)) ++havev6 = True ++try: ++ query6_socket = socket.socket(socket.AF_INET6, socket.SOCK_DGRAM) ++ try: ++ query6_socket.bind((ip6, port)) ++ except: ++ query6_socket.close() ++ havev6 = False ++except: ++ havev6 = False ++signal.signal(signal.SIGTERM, sigterm) ++ ++f = open('ans.pid', 'w') ++pid = os.getpid() ++print (pid, file=f) ++f.close() ++ ++running = True ++ ++print ("Listening on %s port %d" % (ip4, port)) ++if havev6: ++ print ("Listening on %s port %d" % (ip6, port)) ++print ("Ctrl-c to quit") ++ ++if havev6: ++ input = [query4_socket, query6_socket] ++else: ++ input = [query4_socket] ++ ++while running: ++ try: ++ inputready, outputready, exceptready = select.select(input, [], []) ++ except select.error as e: ++ break ++ except socket.error as e: ++ break ++ except KeyboardInterrupt: ++ break ++ ++ for s in inputready: ++ if s == query4_socket or s == query6_socket: ++ print ("Query received on %s" % ++ (ip4 if s == query4_socket else ip6), end=" ") ++ # Handle incoming queries ++ msg = s.recvfrom(65535) ++ rsp = create_response(msg[0]) ++ if rsp: ++ print(dns.rcode.to_text(rsp.rcode())) ++ s.sendto(rsp.to_wire(), msg[1]) ++ else: ++ print("NO RESPONSE") ++ if not running: ++ break +diff --git a/bin/tests/system/forward/clean.sh b/bin/tests/system/forward/clean.sh +index bc04eadb2c..b65b092680 100644 +--- a/bin/tests/system/forward/clean.sh ++++ b/bin/tests/system/forward/clean.sh +@@ -10,10 +10,12 @@ + # + # Clean up after forward tests. + # ++rm -f ./ans11/query.log + rm -f ./dig.out.* + rm -f ./*/named.conf + rm -f ./*/named.memstats + rm -f ./*/named.run ./*/named.run.prev ++rm -f ./*/named_dump.db + rm -f ./ns*/named.lock + rm -f ./ns*/managed-keys.bind* + rm -f ./ns1/root.db ./ns1/root.db.signed +diff --git a/bin/tests/system/forward/ns1/diditwork.net.db b/bin/tests/system/forward/ns1/diditwork.net.db +new file mode 100644 +index 0000000000..fd9a46eb0c +--- /dev/null ++++ b/bin/tests/system/forward/ns1/diditwork.net.db +@@ -0,0 +1,22 @@ ++; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ++; ++; SPDX-License-Identifier: MPL-2.0 ++; ++; This Source Code Form is subject to the terms of the Mozilla Public ++; License, v. 2.0. If a copy of the MPL was not distributed with this ++; file, you can obtain one at https://mozilla.org/MPL/2.0/. ++; ++; See the COPYRIGHT file distributed with this work for additional ++; information regarding copyright ownership. ++ ++$TTL 300 ; 5 minutes ++@ IN SOA ns root ( ++ 2000082401 ; serial ++ 1800 ; refresh (30 minutes) ++ 1800 ; retry (30 minutes) ++ 1814400 ; expire (3 weeks) ++ 3600 ; minimum (1 hour) ++ ) ++ NS ns ++ TXT "recursed" ++ns A 10.53.0.1 +diff --git a/bin/tests/system/forward/ns1/named.conf.in b/bin/tests/system/forward/ns1/named.conf.in +index 4aef4e55e5..c5fb2eb172 100644 +--- a/bin/tests/system/forward/ns1/named.conf.in ++++ b/bin/tests/system/forward/ns1/named.conf.in +@@ -63,3 +63,23 @@ zone "sld.tld" { + zone "example6" { + type forward; + }; ++ ++zone "diditwork.net" { ++ type primary; ++ file "diditwork.net.db"; ++}; ++ ++zone "spoofed.net" { ++ type primary; ++ file "spoofed.net.db"; ++}; ++ ++zone "sub.local.net" { ++ type primary; ++ file "sub.local.net.db"; ++}; ++ ++zone "net.example.lll" { ++ type master; ++ file "net.example.lll"; ++}; +diff --git a/bin/tests/system/forward/ns1/net.example.lll b/bin/tests/system/forward/ns1/net.example.lll +new file mode 100644 +index 0000000000..ba0804fd75 +--- /dev/null ++++ b/bin/tests/system/forward/ns1/net.example.lll +@@ -0,0 +1,15 @@ ++; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ++; ++; SPDX-License-Identifier: MPL-2.0 ++; ++; This Source Code Form is subject to the terms of the Mozilla Public ++; License, v. 2.0. If a copy of the MPL was not distributed with this ++; file, you can obtain one at https://mozilla.org/MPL/2.0/. ++; ++; See the COPYRIGHT file distributed with this work for additional ++; information regarding copyright ownership. ++ ++$TTL 86400 ++net.example.lll. SOA . . 0 0 0 0 0 ++net.example.lll. NS attackSecureDomain.net. ++didItWork.net.example.lll. TXT "if you can see this record the attack worked" +diff --git a/bin/tests/system/forward/ns1/spoofed.net.db b/bin/tests/system/forward/ns1/spoofed.net.db +new file mode 100644 +index 0000000000..eedc46f5c0 +--- /dev/null ++++ b/bin/tests/system/forward/ns1/spoofed.net.db +@@ -0,0 +1,22 @@ ++; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ++; ++; SPDX-License-Identifier: MPL-2.0 ++; ++; This Source Code Form is subject to the terms of the Mozilla Public ++; License, v. 2.0. If a copy of the MPL was not distributed with this ++; file, you can obtain one at https://mozilla.org/MPL/2.0/. ++; ++; See the COPYRIGHT file distributed with this work for additional ++; information regarding copyright ownership. ++ ++$TTL 300 ; 5 minutes ++@ IN SOA ns root ( ++ 2000082401 ; serial ++ 1800 ; refresh (30 minutes) ++ 1800 ; retry (30 minutes) ++ 1814400 ; expire (3 weeks) ++ 3600 ; minimum (1 hour) ++ ) ++ NS ns ++ns A 10.53.0.1 ++sub TXT "recursed" +diff --git a/bin/tests/system/forward/ns1/sub.local.net.db b/bin/tests/system/forward/ns1/sub.local.net.db +new file mode 100644 +index 0000000000..fd9a46eb0c +--- /dev/null ++++ b/bin/tests/system/forward/ns1/sub.local.net.db +@@ -0,0 +1,22 @@ ++; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ++; ++; SPDX-License-Identifier: MPL-2.0 ++; ++; This Source Code Form is subject to the terms of the Mozilla Public ++; License, v. 2.0. If a copy of the MPL was not distributed with this ++; file, you can obtain one at https://mozilla.org/MPL/2.0/. ++; ++; See the COPYRIGHT file distributed with this work for additional ++; information regarding copyright ownership. ++ ++$TTL 300 ; 5 minutes ++@ IN SOA ns root ( ++ 2000082401 ; serial ++ 1800 ; refresh (30 minutes) ++ 1800 ; retry (30 minutes) ++ 1814400 ; expire (3 weeks) ++ 3600 ; minimum (1 hour) ++ ) ++ NS ns ++ TXT "recursed" ++ns A 10.53.0.1 +diff --git a/bin/tests/system/forward/ns10/fakenet.zone b/bin/tests/system/forward/ns10/fakenet.zone +new file mode 100644 +index 0000000000..b655a32459 +--- /dev/null ++++ b/bin/tests/system/forward/ns10/fakenet.zone +@@ -0,0 +1,17 @@ ++; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ++; ++; SPDX-License-Identifier: MPL-2.0 ++; ++; This Source Code Form is subject to the terms of the Mozilla Public ++; License, v. 2.0. If a copy of the MPL was not distributed with this ++; file, you can obtain one at https://mozilla.org/MPL/2.0/. ++; ++; See the COPYRIGHT file distributed with this work for additional ++; information regarding copyright ownership. ++ ++$TTL 86400 ++net. SOA . . 0 0 0 0 0 ++net. NS attackSecureDomain.net. ++attackSecureDomain.net. A 10.53.0.10 ++didItWork.net. TXT "if you can see this record the attack worked" ++ns.spoofed.net. A 10.53.0.10 +diff --git a/bin/tests/system/forward/ns10/fakenet2.zone b/bin/tests/system/forward/ns10/fakenet2.zone +new file mode 100644 +index 0000000000..cd1e6e9944 +--- /dev/null ++++ b/bin/tests/system/forward/ns10/fakenet2.zone +@@ -0,0 +1,15 @@ ++; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ++; ++; SPDX-License-Identifier: MPL-2.0 ++; ++; This Source Code Form is subject to the terms of the Mozilla Public ++; License, v. 2.0. If a copy of the MPL was not distributed with this ++; file, you can obtain one at https://mozilla.org/MPL/2.0/. ++; ++; See the COPYRIGHT file distributed with this work for additional ++; information regarding copyright ownership. ++ ++$TTL 86400 ++net2. SOA . . 0 0 0 0 0 ++net2. NS attackSecureDomain.net. ++net2. DNAME net.example.lll. +diff --git a/bin/tests/system/forward/ns10/fakesublocalnet.zone b/bin/tests/system/forward/ns10/fakesublocalnet.zone +new file mode 100644 +index 0000000000..160b5332b2 +--- /dev/null ++++ b/bin/tests/system/forward/ns10/fakesublocalnet.zone +@@ -0,0 +1,15 @@ ++; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ++; ++; SPDX-License-Identifier: MPL-2.0 ++; ++; This Source Code Form is subject to the terms of the Mozilla Public ++; License, v. 2.0. If a copy of the MPL was not distributed with this ++; file, you can obtain one at https://mozilla.org/MPL/2.0/. ++; ++; See the COPYRIGHT file distributed with this work for additional ++; information regarding copyright ownership. ++ ++$TTL 86400 ++sub.local.net. SOA . . 0 0 0 0 0 ++sub.local.net. NS ns.spoofed.net. ++sub.local.net. TXT "if you see this attacker overrode local delegation" +diff --git a/bin/tests/system/forward/ns10/fakesublocaltld.zone b/bin/tests/system/forward/ns10/fakesublocaltld.zone +new file mode 100644 +index 0000000000..f78cbc77f6 +--- /dev/null ++++ b/bin/tests/system/forward/ns10/fakesublocaltld.zone +@@ -0,0 +1,15 @@ ++; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ++; ++; SPDX-License-Identifier: MPL-2.0 ++; ++; This Source Code Form is subject to the terms of the Mozilla Public ++; License, v. 2.0. If a copy of the MPL was not distributed with this ++; file, you can obtain one at https://mozilla.org/MPL/2.0/. ++; ++; See the COPYRIGHT file distributed with this work for additional ++; information regarding copyright ownership. ++ ++sub.local.tld. 3600 IN SOA . . 0 0 0 0 0 ++sub.local.tld. 3600 IN NS ns.sub.local.tld. ++sub.local.tld. 3600 IN TXT bad ++ns.sub.local.tld. 3600 IN A 10.53.0.8 +diff --git a/bin/tests/system/forward/ns10/named.conf.in b/bin/tests/system/forward/ns10/named.conf.in +new file mode 100644 +index 0000000000..1f318dd867 +--- /dev/null ++++ b/bin/tests/system/forward/ns10/named.conf.in +@@ -0,0 +1,53 @@ ++/* ++ * Copyright (C) Internet Systems Consortium, Inc. ("ISC") ++ * ++ * SPDX-License-Identifier: MPL-2.0 ++ * ++ * This Source Code Form is subject to the terms of the Mozilla Public ++ * License, v. 2.0. If a copy of the MPL was not distributed with this ++ * file, you can obtain one at https://mozilla.org/MPL/2.0/. ++ * ++ * See the COPYRIGHT file distributed with this work for additional ++ * information regarding copyright ownership. ++ */ ++ ++options { ++ query-source address 10.53.0.10; ++ notify-source 10.53.0.10; ++ transfer-source 10.53.0.10; ++ port @PORT@; ++ pid-file "named.pid"; ++ listen-on { 10.53.0.10; }; ++ listen-on-v6 { none; }; ++ minimal-responses no; ++}; ++ ++zone "net." { ++ type master; ++ file "fakenet.zone"; ++}; ++ ++zone "spoofed.net." { ++ type master; ++ file "spoofednet.zone"; ++}; ++ ++zone "sub.local.net." { ++ type master; ++ file "fakesublocalnet.zone"; ++}; ++ ++zone "net2" { ++ type master; ++ file "fakenet2.zone"; ++}; ++ ++zone "net.example.lll" { ++ type master; ++ file "net.example.lll"; ++}; ++ ++zone "sub.local.tld." { ++ type master; ++ file "fakesublocaltld.zone"; ++}; +diff --git a/bin/tests/system/forward/ns10/net.example.lll b/bin/tests/system/forward/ns10/net.example.lll +new file mode 100644 +index 0000000000..ba0804fd75 +--- /dev/null ++++ b/bin/tests/system/forward/ns10/net.example.lll +@@ -0,0 +1,15 @@ ++; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ++; ++; SPDX-License-Identifier: MPL-2.0 ++; ++; This Source Code Form is subject to the terms of the Mozilla Public ++; License, v. 2.0. If a copy of the MPL was not distributed with this ++; file, you can obtain one at https://mozilla.org/MPL/2.0/. ++; ++; See the COPYRIGHT file distributed with this work for additional ++; information regarding copyright ownership. ++ ++$TTL 86400 ++net.example.lll. SOA . . 0 0 0 0 0 ++net.example.lll. NS attackSecureDomain.net. ++didItWork.net.example.lll. TXT "if you can see this record the attack worked" +diff --git a/bin/tests/system/forward/ns10/spoofednet.zone b/bin/tests/system/forward/ns10/spoofednet.zone +new file mode 100644 +index 0000000000..fb70a4372b +--- /dev/null ++++ b/bin/tests/system/forward/ns10/spoofednet.zone +@@ -0,0 +1,16 @@ ++; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ++; ++; SPDX-License-Identifier: MPL-2.0 ++; ++; This Source Code Form is subject to the terms of the Mozilla Public ++; License, v. 2.0. If a copy of the MPL was not distributed with this ++; file, you can obtain one at https://mozilla.org/MPL/2.0/. ++; ++; See the COPYRIGHT file distributed with this work for additional ++; information regarding copyright ownership. ++ ++$TTL 86400 ++spoofed.net. SOA . . 0 0 0 0 0 ++spoofed.net. NS ns.spoofed.net. ++ns.spoofed.net. A 10.53.0.10 ++spoofed.net. TXT "this record is clearly spoofed" +diff --git a/bin/tests/system/forward/ns2/tld.db b/bin/tests/system/forward/ns2/tld.db +index 61b6569b07..819210dc05 100644 +--- a/bin/tests/system/forward/ns2/tld.db ++++ b/bin/tests/system/forward/ns2/tld.db +@@ -10,3 +10,9 @@ $TTL 300 ; 5 minutes + ns A 10.53.0.2 + sld NS ns.sld + ns.sld A 10.53.0.1 ++local NS ns.local ++ns.local A 10.53.0.9 ++sibling NS ns.sibling ++ns.sibling A 10.53.0.4 ++sibling NS ns.sub.local ++ns.sub.local A 10.53.0.10 +diff --git a/bin/tests/system/forward/ns4/named.conf.in b/bin/tests/system/forward/ns4/named.conf.in +index 855b4bfb82..85349aa97e 100644 +--- a/bin/tests/system/forward/ns4/named.conf.in ++++ b/bin/tests/system/forward/ns4/named.conf.in +@@ -60,3 +60,8 @@ zone "malicious." { + type primary; + file "malicious.db"; + }; ++ ++zone "sibling.tld" { ++ type primary; ++ file "sibling.tld.db"; ++}; +diff --git a/bin/tests/system/forward/ns4/sibling.tld.db b/bin/tests/system/forward/ns4/sibling.tld.db +new file mode 100644 +index 0000000000..fe080ae974 +--- /dev/null ++++ b/bin/tests/system/forward/ns4/sibling.tld.db +@@ -0,0 +1,22 @@ ++; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ++; ++; SPDX-License-Identifier: MPL-2.0 ++; ++; This Source Code Form is subject to the terms of the Mozilla Public ++; License, v. 2.0. If a copy of the MPL was not distributed with this ++; file, you can obtain one at https://mozilla.org/MPL/2.0/. ++; ++; See the COPYRIGHT file distributed with this work for additional ++; information regarding copyright ownership. ++ ++$TTL 86400 ++@ IN SOA malicious. admin.malicious. ( ++ 1 ; Serial ++ 604800 ; Refresh ++ 86400 ; Retry ++ 2419200 ; Expire ++ 86400 ) ; Negative Cache TTL ++ ++@ IN NS ns ++ ++ns IN A 10.53.0.4 +diff --git a/bin/tests/system/forward/ns8/named.conf.in b/bin/tests/system/forward/ns8/named.conf.in +index 531ff59ece..f752eae885 100644 +--- a/bin/tests/system/forward/ns8/named.conf.in ++++ b/bin/tests/system/forward/ns8/named.conf.in +@@ -26,3 +26,8 @@ zone "." { + type hint; + file "root.db"; + }; ++ ++zone "sub.local.tld" { ++ type primary; ++ file "sub.local.tld.db"; ++}; +diff --git a/bin/tests/system/forward/ns8/sub.local.tld.db b/bin/tests/system/forward/ns8/sub.local.tld.db +new file mode 100644 +index 0000000000..f2234c754e +--- /dev/null ++++ b/bin/tests/system/forward/ns8/sub.local.tld.db +@@ -0,0 +1,15 @@ ++; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ++; ++; SPDX-License-Identifier: MPL-2.0 ++; ++; This Source Code Form is subject to the terms of the Mozilla Public ++; License, v. 2.0. If a copy of the MPL was not distributed with this ++; file, you can obtain one at https://mozilla.org/MPL/2.0/. ++; ++; See the COPYRIGHT file distributed with this work for additional ++; information regarding copyright ownership. ++ ++sub.local.tld. 3600 IN SOA . . 0 0 0 0 0 ++sub.local.tld. 3600 IN NS ns.sub.local.tld. ++sub.local.tld. 3600 IN TXT good ++ns.sub.local.tld. 3600 IN A 10.53.0.8 +diff --git a/bin/tests/system/forward/ns9/local.net.db b/bin/tests/system/forward/ns9/local.net.db +new file mode 100644 +index 0000000000..af0d2a5a67 +--- /dev/null ++++ b/bin/tests/system/forward/ns9/local.net.db +@@ -0,0 +1,16 @@ ++; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ++; ++; SPDX-License-Identifier: MPL-2.0 ++; ++; This Source Code Form is subject to the terms of the Mozilla Public ++; License, v. 2.0. If a copy of the MPL was not distributed with this ++; file, you can obtain one at https://mozilla.org/MPL/2.0/. ++; ++; See the COPYRIGHT file distributed with this work for additional ++; information regarding copyright ownership. ++ ++local.net. 3600 IN SOA . . 0 0 0 0 0 ++local.net. 3600 IN NS localhost. ++ns.local.net. 3600 IN A 10.53.0.9 ++txt.local.net. 3600 IN TXT "something in the local auth zone" ++sub.local.net. 3600 IN NS ns.spoofed.net. ; attacker will try to override this +diff --git a/bin/tests/system/forward/ns9/local.tld.db b/bin/tests/system/forward/ns9/local.tld.db +new file mode 100644 +index 0000000000..876a9139da +--- /dev/null ++++ b/bin/tests/system/forward/ns9/local.tld.db +@@ -0,0 +1,15 @@ ++; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ++; ++; SPDX-License-Identifier: MPL-2.0 ++; ++; This Source Code Form is subject to the terms of the Mozilla Public ++; License, v. 2.0. If a copy of the MPL was not distributed with this ++; file, you can obtain one at https://mozilla.org/MPL/2.0/. ++; ++; See the COPYRIGHT file distributed with this work for additional ++; information regarding copyright ownership. ++ ++local.tld. 3600 IN SOA . . 0 0 0 0 0 ++local.tld. 3600 IN NS localhost. ++sub.local.tld. 3600 IN NS ns.sub.local.tld. ++ns.sub.local.tld. 3600 IN A 10.53.0.8 +diff --git a/bin/tests/system/forward/ns9/named1.conf.in b/bin/tests/system/forward/ns9/named1.conf.in +new file mode 100644 +index 0000000000..be9a43842f +--- /dev/null ++++ b/bin/tests/system/forward/ns9/named1.conf.in +@@ -0,0 +1,67 @@ ++/* ++ * Copyright (C) Internet Systems Consortium, Inc. ("ISC") ++ * ++ * SPDX-License-Identifier: MPL-2.0 ++ * ++ * This Source Code Form is subject to the terms of the Mozilla Public ++ * License, v. 2.0. If a copy of the MPL was not distributed with this ++ * file, you can obtain one at https://mozilla.org/MPL/2.0/. ++ * ++ * See the COPYRIGHT file distributed with this work for additional ++ * information regarding copyright ownership. ++ */ ++ ++options { ++ query-source address 10.53.0.9; ++ notify-source 10.53.0.9; ++ transfer-source 10.53.0.9; ++ port @PORT@; ++ pid-file "named.pid"; ++ listen-on { 10.53.0.9; }; ++ listen-on-v6 { none; }; ++ dnssec-validation no; ++ edns-udp-size 1232; ++}; ++ ++key rndc_key { ++ secret "1234abcd8765"; ++ algorithm hmac-sha256; ++}; ++ ++controls { ++ inet 10.53.0.9 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; ++}; ++ ++server 10.53.0.10 { ++ edns no; ++}; ++ ++server 10.53.0.11 { ++ edns no; ++}; ++ ++zone "." { ++ type hint; ++ file "root.db"; ++}; ++ ++zone "attacksecuredomain.net." { ++ type forward; ++ forwarders { 10.53.0.10; }; ++}; ++ ++zone "attacksecuredomain.net2." { ++ type forward; ++ forwarders { 10.53.0.10; }; ++}; ++ ++zone "attacksecuredomain.net3." { ++ type forward; ++ forwarders { 10.53.0.11; }; ++}; ++ ++zone "local.net." { ++ type primary; ++ file "local.net.db"; ++ forwarders {}; ++}; +diff --git a/bin/tests/system/forward/ns9/named2.conf.in b/bin/tests/system/forward/ns9/named2.conf.in +new file mode 100644 +index 0000000000..2c40b42a0c +--- /dev/null ++++ b/bin/tests/system/forward/ns9/named2.conf.in +@@ -0,0 +1,70 @@ ++/* ++ * Copyright (C) Internet Systems Consortium, Inc. ("ISC") ++ * ++ * SPDX-License-Identifier: MPL-2.0 ++ * ++ * This Source Code Form is subject to the terms of the Mozilla Public ++ * License, v. 2.0. If a copy of the MPL was not distributed with this ++ * file, you can obtain one at https://mozilla.org/MPL/2.0/. ++ * ++ * See the COPYRIGHT file distributed with this work for additional ++ * information regarding copyright ownership. ++ */ ++ ++options { ++ query-source address 10.53.0.9; ++ notify-source 10.53.0.9; ++ transfer-source 10.53.0.9; ++ port @PORT@; ++ pid-file "named.pid"; ++ listen-on { 10.53.0.9; }; ++ listen-on-v6 { none; }; ++ dnssec-validation no; ++ edns-udp-size 1232; ++}; ++ ++key rndc_key { ++ secret "1234abcd8765"; ++ algorithm hmac-sha256; ++}; ++ ++controls { ++ inet 10.53.0.9 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; ++}; ++ ++server 10.53.0.10 { ++ edns no; ++}; ++ ++server 10.53.0.11 { ++ edns no; ++}; ++ ++zone "." { ++ type hint; ++ file "root.db"; ++}; ++ ++zone "attacksecuredomain.net." { ++ type forward; ++ forward only; ++ forwarders { 10.53.0.10; }; ++}; ++ ++zone "attacksecuredomain.net2." { ++ type forward; ++ forward only; ++ forwarders { 10.53.0.10; }; ++}; ++ ++zone "attacksecuredomain.net3." { ++ type forward; ++ forward only; ++ forwarders { 10.53.0.11; }; ++}; ++ ++zone "local.net." { ++ type primary; ++ file "local.net.db"; ++ forwarders {}; ++}; +diff --git a/bin/tests/system/forward/ns9/named3.conf.in b/bin/tests/system/forward/ns9/named3.conf.in +new file mode 100644 +index 0000000000..576f57c10b +--- /dev/null ++++ b/bin/tests/system/forward/ns9/named3.conf.in +@@ -0,0 +1,50 @@ ++/* ++ * Copyright (C) Internet Systems Consortium, Inc. ("ISC") ++ * ++ * SPDX-License-Identifier: MPL-2.0 ++ * ++ * This Source Code Form is subject to the terms of the Mozilla Public ++ * License, v. 2.0. If a copy of the MPL was not distributed with this ++ * file, you can obtain one at https://mozilla.org/MPL/2.0/. ++ * ++ * See the COPYRIGHT file distributed with this work for additional ++ * information regarding copyright ownership. ++ */ ++ ++options { ++ query-source address 10.53.0.9; ++ notify-source 10.53.0.9; ++ transfer-source 10.53.0.9; ++ port @PORT@; ++ pid-file "named.pid"; ++ listen-on { 10.53.0.9; }; ++ listen-on-v6 { none; }; ++ dnssec-validation no; ++ edns-udp-size 1232; ++ forward only; ++ forwarders { 10.53.0.10; }; ++}; ++ ++key rndc_key { ++ secret "1234abcd8765"; ++ algorithm hmac-sha256; ++}; ++ ++controls { ++ inet 10.53.0.9 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; ++}; ++ ++server 10.53.0.10 { ++ edns no; ++}; ++ ++zone "." { ++ type hint; ++ file "root.db"; ++}; ++ ++zone "local.net." { ++ type primary; ++ file "local.net.db"; ++ forwarders {}; ++}; +diff --git a/bin/tests/system/forward/ns9/named4.conf.in b/bin/tests/system/forward/ns9/named4.conf.in +new file mode 100644 +index 0000000000..5cd7d84109 +--- /dev/null ++++ b/bin/tests/system/forward/ns9/named4.conf.in +@@ -0,0 +1,47 @@ ++/* ++ * Copyright (C) Internet Systems Consortium, Inc. ("ISC") ++ * ++ * SPDX-License-Identifier: MPL-2.0 ++ * ++ * This Source Code Form is subject to the terms of the Mozilla Public ++ * License, v. 2.0. If a copy of the MPL was not distributed with this ++ * file, you can obtain one at https://mozilla.org/MPL/2.0/. ++ * ++ * See the COPYRIGHT file distributed with this work for additional ++ * information regarding copyright ownership. ++ */ ++ ++options { ++ query-source address 10.53.0.9; ++ notify-source 10.53.0.9; ++ transfer-source 10.53.0.9; ++ port @PORT@; ++ pid-file "named.pid"; ++ listen-on { 10.53.0.9; }; ++ listen-on-v6 { none; }; ++ dnssec-validation no; ++ edns-udp-size 1232; ++}; ++ ++key rndc_key { ++ secret "1234abcd8765"; ++ algorithm hmac-sha256; ++}; ++ ++controls { ++ inet 10.53.0.9 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; ++}; ++ ++server 10.53.0.10 { ++ edns no; ++}; ++ ++zone "." { ++ type hint; ++ file "root.db"; ++}; ++ ++zone "local.tld." { ++ type primary; ++ file "local.tld.db"; ++}; +diff --git a/bin/tests/system/forward/ns9/root.db b/bin/tests/system/forward/ns9/root.db +new file mode 100644 +index 0000000000..2cbdff5977 +--- /dev/null ++++ b/bin/tests/system/forward/ns9/root.db +@@ -0,0 +1,13 @@ ++; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ++; ++; SPDX-License-Identifier: MPL-2.0 ++; ++; This Source Code Form is subject to the terms of the Mozilla Public ++; License, v. 2.0. If a copy of the MPL was not distributed with this ++; file, you can obtain one at https://mozilla.org/MPL/2.0/. ++; ++; See the COPYRIGHT file distributed with this work for additional ++; information regarding copyright ownership. ++ ++. NS a.root-servers.nil. ++a.root-servers.nil. A 10.53.0.1 +diff --git a/bin/tests/system/forward/setup.sh b/bin/tests/system/forward/setup.sh +index 21cf67b782..a56dd3c03f 100644 +--- a/bin/tests/system/forward/setup.sh ++++ b/bin/tests/system/forward/setup.sh +@@ -19,6 +19,8 @@ copy_setports ns4/named.conf.in ns4/named.conf + copy_setports ns5/named.conf.in ns5/named.conf + copy_setports ns7/named.conf.in ns7/named.conf + copy_setports ns8/named.conf.in ns8/named.conf ++copy_setports ns9/named1.conf.in ns9/named.conf ++copy_setports ns10/named.conf.in ns10/named.conf + + ( + cd ns1 +diff --git a/bin/tests/system/forward/tests.sh b/bin/tests/system/forward/tests.sh +index 6096b06ca7..dfbaf887f7 100644 +--- a/bin/tests/system/forward/tests.sh ++++ b/bin/tests/system/forward/tests.sh +@@ -253,5 +253,127 @@ grep "status: SERVFAIL" dig.out.$n.f1 > /dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + ++# ++# Check various spoofed response scenarios. The same tests will be ++# run twice, with "forward first" and "forward only" configurations. ++# ++run_spooftests () { ++ n=$((n+1)) ++ echo_i "checking spoofed response scenario 1 - out of bailiwick NS ($n)" ++ ret=0 ++ # prime ++ dig_with_opts @10.53.0.9 attackSecureDomain.net > dig.out.$n.prime || ret=1 ++ # check 'net' is not poisoned. ++ dig_with_opts @10.53.0.9 diditwork.net. TXT > dig.out.$n.net || ret=1 ++ grep '^diditwork\.net\..*TXT.*"recursed"' dig.out.$n.net > /dev/null || ret=1 ++ # check 'sub.local.net' is not poisoned. ++ dig_with_opts @10.53.0.9 sub.local.net TXT > dig.out.$n.sub || ret=1 ++ grep '^sub\.local\.net\..*TXT.*"recursed"' dig.out.$n.sub > /dev/null || ret=1 ++ if [ $ret != 0 ]; then echo_i "failed"; fi ++ status=$((status+ret)) ++ ++ n=$((n+1)) ++ echo_i "checking spoofed response scenario 2 - inject DNAME/net2. ($n)" ++ ret=0 ++ # prime ++ dig_with_opts @10.53.0.9 attackSecureDomain.net2 > dig.out.$n.prime || ret=1 ++ # check that net2/DNAME is not cached ++ dig_with_opts @10.53.0.9 net2. DNAME > dig.out.$n.net2 || ret=1 ++ grep "ANSWER: 0," dig.out.$n.net2 > /dev/null || ret=1 ++ grep "status: NXDOMAIN" dig.out.$n.net2 > /dev/null || ret=1 ++ if [ $ret != 0 ]; then echo_i "failed"; fi ++ status=$((status+ret)) ++ ++ n=$((n+1)) ++ echo_i "checking spoofed response scenario 3 - extra answer ($n)" ++ ret=0 ++ # prime ++ dig_with_opts @10.53.0.9 attackSecureDomain.net3 > dig.out.$n.prime || ret=1 ++ # check extra net3 records are not cached ++ rndccmd 10.53.0.9 dumpdb -cache 2>&1 | sed 's/^/ns9 /' | cat_i ++ for try in 1 2 3 4 5; do ++ lines=$(grep "net3" ns9/named_dump.db | wc -l) ++ if [ ${lines} -eq 0 ]; then ++ sleep 1 ++ continue ++ fi ++ [ ${lines} -eq 1 ] || ret=1 ++ grep -q '^attackSecureDomain.net3' ns9/named_dump.db || ret=1 ++ grep -q '^local.net3' ns9/named_dump.db && ret=1 ++ done ++ if [ $ret != 0 ]; then echo_i "failed"; fi ++ status=$((status+ret)) ++} ++ ++echo_i "checking spoofed response scenarios with forward first zones" ++run_spooftests ++ ++copy_setports ns9/named2.conf.in ns9/named.conf ++rndccmd 10.53.0.9 reconfig 2>&1 | sed 's/^/ns3 /' | cat_i ++rndccmd 10.53.0.9 flush 2>&1 | sed 's/^/ns3 /' | cat_i ++sleep 1 ++ ++echo_i "rechecking spoofed response scenarios with forward only zones" ++run_spooftests ++ ++# ++# This scenario expects the spoofed response to succeed. The tests are ++# similar to the ones above, but not identical. ++# ++echo_i "rechecking spoofed response scenarios with 'forward only' set globally" ++copy_setports ns9/named3.conf.in ns9/named.conf ++rndccmd 10.53.0.9 reconfig 2>&1 | sed 's/^/ns3 /' | cat_i ++rndccmd 10.53.0.9 flush 2>&1 | sed 's/^/ns3 /' | cat_i ++sleep 1 ++ ++n=$((n+1)) ++echo_i "checking spoofed response scenario 1 - out of bailiwick NS ($n)" ++ret=0 ++# prime ++dig_with_opts @10.53.0.9 attackSecureDomain.net > dig.out.$n.prime || ret=1 ++# check 'net' is poisoned. ++dig_with_opts @10.53.0.9 diditwork.net. TXT > dig.out.$n.net || ret=1 ++grep '^didItWork\.net\..*TXT.*"if you can see this record the attack worked"' dig.out.$n.net > /dev/null || ret=1 ++# check 'sub.local.net' is poisoned. ++dig_with_opts @10.53.0.9 sub.local.net TXT > dig.out.$n.sub || ret=1 ++grep '^sub\.local\.net\..*TXT.*"if you see this attacker overrode local delegation"' dig.out.$n.sub > /dev/null || ret=1 ++if [ $ret != 0 ]; then echo_i "failed"; fi ++status=$((status+ret)) ++ ++n=$((n+1)) ++echo_i "checking spoofed response scenario 2 - inject DNAME/net2. ($n)" ++ret=0 ++# prime ++dig_with_opts @10.53.0.9 attackSecureDomain.net2 > dig.out.$n.prime || ret=1 ++# check that net2/DNAME is cached ++dig_with_opts @10.53.0.9 net2. DNAME > dig.out.$n.net2 || ret=1 ++grep "ANSWER: 1," dig.out.$n.net2 > /dev/null || ret=1 ++grep "net2\..*IN.DNAME.net\.example\.lll\." dig.out.$n.net2 > /dev/null || ret=1 ++if [ $ret != 0 ]; then echo_i "failed"; fi ++status=$((status+ret)) ++ ++# ++# This test doesn't use any forwarder clauses but is here because it ++# is similar to forwarders, as the set of servers that can populate ++# the namespace is defined by the zone content. ++# ++echo_i "rechecking spoofed response scenarios glue below local zone" ++copy_setports ns9/named4.conf.in ns9/named.conf ++rndccmd 10.53.0.9 reconfig 2>&1 | sed 's/^/ns3 /' | cat_i ++rndccmd 10.53.0.9 flush 2>&1 | sed 's/^/ns3 /' | cat_i ++sleep 1 ++ ++n=$((n+1)) ++echo_i "checking sibling glue below zone ($n)" ++ret=0 ++# prime ++dig_with_opts @10.53.0.9 sibling.tld > dig.out.$n.prime || ret=1 ++# check for glue A record for sub.local.tld is not used ++dig_with_opts @10.53.0.9 sub.local.tld TXT > dig.out.$n.sub || ret=1 ++grep "ANSWER: 1," dig.out.$n.sub > /dev/null || ret=1 ++grep 'sub\.local\.tld\..*IN.TXT."good"$' dig.out.$n.sub > /dev/null || ret=1 ++if [ $ret != 0 ]; then echo_i "failed"; fi ++status=$((status+ret)) ++ + echo_i "exit status: $status" + [ $status -eq 0 ] || exit 1 +diff --git a/bin/tests/system/ifconfig.sh b/bin/tests/system/ifconfig.sh +index e078f3313b..2a4d955caf 100755 +--- a/bin/tests/system/ifconfig.sh ++++ b/bin/tests/system/ifconfig.sh +@@ -12,10 +12,10 @@ + # + # Set up interface aliases for bind9 system tests. + # +-# IPv4: 10.53.0.{1..10} RFC 1918 ++# IPv4: 10.53.0.{1..11} RFC 1918 + # 10.53.1.{1..2} + # 10.53.2.{1..2} +-# IPv6: fd92:7065:b8e:ffff::{1..10} ULA ++# IPv6: fd92:7065:b8e:ffff::{1..11} ULA + # fd92:7065:b8e:99ff::{1..2} + # fd92:7065:b8e:ff::{1..2} + # +@@ -55,7 +55,7 @@ case "$1" in + 2) ipv6="00" ;; + *) ipv6="" ;; + esac +- for ns in 1 2 3 4 5 6 7 8 9 10 ++ for ns in 1 2 3 4 5 6 7 8 9 10 11 + do + [ $i -gt 0 -a $ns -gt 2 ] && break + int=`expr $i \* 10 + $ns` +@@ -160,7 +160,7 @@ case "$1" in + 2) ipv6="00" ;; + *) ipv6="" ;; + esac +- for ns in 10 9 8 7 6 5 4 3 2 1 ++ for ns in 11 10 9 8 7 6 5 4 3 2 1 + do + [ $i -gt 0 -a $ns -gt 2 ] && continue + int=`expr $i \* 10 + $ns - 1` +-- +2.34.1 + diff --git a/bind-9.16-CVE-2021-25220.patch b/bind-9.16-CVE-2021-25220.patch new file mode 100644 index 0000000..de75ab8 --- /dev/null +++ b/bind-9.16-CVE-2021-25220.patch @@ -0,0 +1,251 @@ +From 5b2798e01346cd77741873091babf6c4a3128449 Mon Sep 17 00:00:00 2001 +From: Mark Andrews +Date: Wed, 19 Jan 2022 17:38:18 +1100 +Subject: [PATCH] Add additional name checks when using a forwarder + +When using a forwarder, check that the owner name of response +records are within the bailiwick of the forwarded name space. + +(cherry picked from commit 24155213be59faad17f0215ecf73ea49ab781e5b) + +Check that the forward declaration is unchanged and not overridden + +If we are using a fowarder, in addition to checking that names to +be cached are subdomains of the forwarded namespace, we must also +check that there are no subsidiary forwarded namespaces which would +take precedence. To be safe, we don't cache any responses if the +forwarding configuration has changed since the query was sent. + +(cherry picked from commit 3fc7accd88cd0890f8f57bb13765876774298ba3) + +Check cached names for possible "forward only" clause + +When caching additional and glue data *not* from a forwarder, we must +check that there is no "forward only" clause covering the owner name +that would take precedence. Such names would normally be allowed by +baliwick rules, but a "forward only" zone introduces a new baliwick +scope. + +(cherry picked from commit ea06552a3d1fed56f7d3a13710e084ec79797b78) + +Look for zones deeper than the current domain or forward name + +When caching glue, we need to ensure that there is no closer +source of truth for the name. If the owner name for the glue +record would be answered by a locally configured zone, do not +cache. + +(cherry picked from commit 71b24210542730355149130770deea3e58d8527a) +--- + lib/dns/resolver.c | 128 +++++++++++++++++++++++++++++++++++++++++++-- + 1 file changed, 123 insertions(+), 5 deletions(-) + +diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c +index a7bc661bb7..7603a07b7b 100644 +--- a/lib/dns/resolver.c ++++ b/lib/dns/resolver.c +@@ -63,6 +63,8 @@ + #include + #include + #include ++#include ++ + #ifdef WANT_QUERYTRACE + #define RTRACE(m) \ + isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER, \ +@@ -337,6 +339,8 @@ struct fetchctx { + dns_fetch_t *qminfetch; + dns_rdataset_t qminrrset; + dns_name_t qmindcname; ++ dns_fixedname_t fwdfname; ++ dns_name_t *fwdname; + + /*% + * The number of events we're waiting for. +@@ -3764,6 +3768,7 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) { + if (result == ISC_R_SUCCESS) { + fwd = ISC_LIST_HEAD(forwarders->fwdrs); + fctx->fwdpolicy = forwarders->fwdpolicy; ++ dns_name_copynf(domain, fctx->fwdname); + if (fctx->fwdpolicy == dns_fwdpolicy_only && + isstrictsubdomain(domain, &fctx->domain)) + { +@@ -5153,6 +5158,9 @@ fctx_create(dns_resolver_t *res, const dns_name_t *name, dns_rdatatype_t type, + fctx->restarts = 0; + fctx->querysent = 0; + fctx->referrals = 0; ++ ++ fctx->fwdname = dns_fixedname_initname(&fctx->fwdfname); ++ + TIME_NOW(&fctx->start); + fctx->timeouts = 0; + fctx->lamecount = 0; +@@ -5215,6 +5223,7 @@ fctx_create(dns_resolver_t *res, const dns_name_t *name, dns_rdatatype_t type, + fname, &forwarders); + if (result == ISC_R_SUCCESS) { + fctx->fwdpolicy = forwarders->fwdpolicy; ++ dns_name_copynf(fname, fctx->fwdname); + } + + if (fctx->fwdpolicy != dns_fwdpolicy_only) { +@@ -7118,6 +7127,107 @@ mark_related(dns_name_t *name, dns_rdataset_t *rdataset, bool external, + } + } + ++/* ++ * Returns true if 'name' is external to the namespace for which ++ * the server being queried can answer, either because it's not a ++ * subdomain or because it's below a forward declaration or a ++ * locally served zone. ++ */ ++static inline bool ++name_external(const dns_name_t *name, dns_rdatatype_t type, fetchctx_t *fctx) { ++ isc_result_t result; ++ dns_forwarders_t *forwarders = NULL; ++ dns_fixedname_t fixed, zfixed; ++ dns_name_t *fname = dns_fixedname_initname(&fixed); ++ dns_name_t *zfname = dns_fixedname_initname(&zfixed); ++ dns_name_t *apex = NULL; ++ dns_name_t suffix; ++ dns_zone_t *zone = NULL; ++ unsigned int labels; ++ dns_namereln_t rel; ++ ++ apex = ISFORWARDER(fctx->addrinfo) ? fctx->fwdname : &fctx->domain; ++ ++ /* ++ * The name is outside the queried namespace. ++ */ ++ rel = dns_name_fullcompare(name, apex, &(int){ 0 }, ++ &(unsigned int){ 0U }); ++ if (rel != dns_namereln_subdomain && rel != dns_namereln_equal) { ++ return (true); ++ } ++ ++ /* ++ * If the record lives in the parent zone, adjust the name so we ++ * look for the correct zone or forward clause. ++ */ ++ labels = dns_name_countlabels(name); ++ if (dns_rdatatype_atparent(type) && labels > 1U) { ++ dns_name_init(&suffix, NULL); ++ dns_name_getlabelsequence(name, 1, labels - 1, &suffix); ++ name = &suffix; ++ } else if (rel == dns_namereln_equal) { ++ /* If 'name' is 'apex', no further checking is needed. */ ++ return (false); ++ } ++ ++ /* ++ * If there is a locally served zone between 'apex' and 'name' ++ * then don't cache. ++ */ ++ LOCK(&fctx->res->view->lock); ++ if (fctx->res->view->zonetable != NULL) { ++ unsigned int options = DNS_ZTFIND_NOEXACT | DNS_ZTFIND_MIRROR; ++ result = dns_zt_find(fctx->res->view->zonetable, name, options, ++ zfname, &zone); ++ if (zone != NULL) { ++ dns_zone_detach(&zone); ++ } ++ if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH) { ++ if (dns_name_fullcompare(zfname, apex, &(int){ 0 }, ++ &(unsigned int){ 0U }) == ++ dns_namereln_subdomain) ++ { ++ UNLOCK(&fctx->res->view->lock); ++ return (true); ++ } ++ } ++ } ++ UNLOCK(&fctx->res->view->lock); ++ ++ /* ++ * Look for a forward declaration below 'name'. ++ */ ++ result = dns_fwdtable_find(fctx->res->view->fwdtable, name, fname, ++ &forwarders); ++ ++ if (ISFORWARDER(fctx->addrinfo)) { ++ /* ++ * See if the forwarder declaration is better. ++ */ ++ if (result == ISC_R_SUCCESS) { ++ return (!dns_name_equal(fname, fctx->fwdname)); ++ } ++ ++ /* ++ * If the lookup failed, the configuration must have ++ * changed: play it safe and don't cache. ++ */ ++ return (true); ++ } else if (result == ISC_R_SUCCESS && ++ forwarders->fwdpolicy == dns_fwdpolicy_only && ++ !ISC_LIST_EMPTY(forwarders->fwdrs)) ++ { ++ /* ++ * If 'name' is covered by a 'forward only' clause then we ++ * can't cache this repsonse. ++ */ ++ return (true); ++ } ++ ++ return (false); ++} ++ + static isc_result_t + check_section(void *arg, const dns_name_t *addname, dns_rdatatype_t type, + dns_section_t section) { +@@ -7144,7 +7254,7 @@ check_section(void *arg, const dns_name_t *addname, dns_rdatatype_t type, + result = dns_message_findname(rctx->query->rmessage, section, addname, + dns_rdatatype_any, 0, &name, NULL); + if (result == ISC_R_SUCCESS) { +- external = !dns_name_issubdomain(name, &fctx->domain); ++ external = name_external(name, type, fctx); + if (type == dns_rdatatype_a) { + for (rdataset = ISC_LIST_HEAD(name->list); + rdataset != NULL; +@@ -8768,6 +8878,13 @@ rctx_answer_scan(respctx_t *rctx) { + break; + + case dns_namereln_subdomain: ++ /* ++ * Don't accept DNAME from parent namespace. ++ */ ++ if (name_external(name, dns_rdatatype_dname, fctx)) { ++ continue; ++ } ++ + /* + * In-scope DNAME records must have at least + * as many labels as the domain being queried. +@@ -9081,13 +9198,11 @@ rctx_authority_positive(respctx_t *rctx) { + DNS_SECTION_AUTHORITY); + while (!done && result == ISC_R_SUCCESS) { + dns_name_t *name = NULL; +- bool external; + + dns_message_currentname(rctx->query->rmessage, + DNS_SECTION_AUTHORITY, &name); +- external = !dns_name_issubdomain(name, &fctx->domain); + +- if (!external) { ++ if (!name_external(name, dns_rdatatype_ns, fctx)) { + dns_rdataset_t *rdataset = NULL; + + /* +@@ -9474,7 +9589,10 @@ rctx_authority_dnssec(respctx_t *rctx) { + } + + if (!dns_name_issubdomain(name, &fctx->domain)) { +- /* Invalid name found; preserve it for logging later */ ++ /* ++ * Invalid name found; preserve it for logging ++ * later. ++ */ + rctx->found_name = name; + rctx->found_type = ISC_LIST_HEAD(name->list)->type; + continue; +-- +2.34.1 + diff --git a/bind-9.16-CVE-2022-0396.patch b/bind-9.16-CVE-2022-0396.patch new file mode 100644 index 0000000..5a374f1 --- /dev/null +++ b/bind-9.16-CVE-2022-0396.patch @@ -0,0 +1,81 @@ +From 33064cd077cf6fa386f0a5a840c2161868da7b3a Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= +Date: Tue, 8 Feb 2022 12:42:34 +0100 +Subject: [PATCH] Run .closehandle_cb asynchrounosly in nmhandle_detach_cb() + +When sock->closehandle_cb is set, we need to run nmhandle_detach_cb() +asynchronously to ensure correct order of multiple packets processing in +the isc__nm_process_sock_buffer(). When not run asynchronously, it +would cause: + + a) out-of-order processing of the return codes from processbuffer(); + + b) stack growth because the next TCP DNS message read callback will + be called from within the current TCP DNS message read callback. + +The sock->closehandle_cb is set to isc__nm_resume_processing() for TCP +sockets which calls isc__nm_process_sock_buffer(). If the read callback +(called from isc__nm_process_sock_buffer()->processbuffer()) doesn't +attach to the nmhandle (f.e. because it wants to drop the processing or +we send the response directly via uv_try_write()), the +isc__nm_resume_processing() (via .closehandle_cb) would call +isc__nm_process_sock_buffer() recursively. + +The below shortened code path shows how the stack can grow: + + 1: ns__client_request(handle, ...); + 2: isc_nm_tcpdns_sequential(handle); + 3: ns_query_start(client, handle); + 4: query_lookup(qctx); + 5: query_send(qctcx->client); + 6: isc__nmhandle_detach(&client->reqhandle); + 7: nmhandle_detach_cb(&handle); + 8: sock->closehandle_cb(sock); // isc__nm_resume_processing + 9: isc__nm_process_sock_buffer(sock); +10: processbuffer(sock); // isc__nm_tcpdns_processbuffer +11: isc_nmhandle_attach(req->handle, &handle); +12: isc__nm_readcb(sock, req, ISC_R_SUCCESS); +13: isc__nm_async_readcb(NULL, ...); +14: uvreq->cb.recv(...); // ns__client_request + +Instead, if 'sock->closehandle_cb' is set, we need to run detach the +handle asynchroniously in 'isc__nmhandle_detach', so that on line 8 in +the code flow above does not start this recursion. This ensures the +correct order when processing multiple packets in the function +'isc__nm_process_sock_buffer()' and prevents the stack growth. + +When not run asynchronously, the out-of-order processing leaves the +first TCP socket open until all requests on the stream have been +processed. + +If the pipelining is disabled on the TCP via `keep-response-order` +configuration option, named would keep the first socket in lingering +CLOSE_WAIT state when the client sends an incomplete packet and then +closes the connection from the client side. + +(cherry picked from commit afee2b5a7bc933a2d987907fc327a9f118fdbd17) +--- + lib/isc/netmgr/netmgr.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/lib/isc/netmgr/netmgr.c b/lib/isc/netmgr/netmgr.c +index 3283eb6e4f..0ed3182fb6 100644 +--- a/lib/isc/netmgr/netmgr.c ++++ b/lib/isc/netmgr/netmgr.c +@@ -1746,8 +1746,12 @@ isc__nmhandle_detach(isc_nmhandle_t **handlep FLARG) { + handle = *handlep; + *handlep = NULL; + ++ /* ++ * If the closehandle_cb is set, it needs to run asynchronously to ++ * ensure correct ordering of the isc__nm_process_sock_buffer(). ++ */ + sock = handle->sock; +- if (sock->tid == isc_nm_tid()) { ++ if (sock->tid == isc_nm_tid() && sock->closehandle_cb == NULL) { + nmhandle_detach_cb(&handle FLARG_PASS); + } else { + isc__netievent_detach_t *event = +-- +2.34.1 + diff --git a/bind-9.16-CVE-2022-2795.patch b/bind-9.16-CVE-2022-2795.patch new file mode 100644 index 0000000..b67c8e9 --- /dev/null +++ b/bind-9.16-CVE-2022-2795.patch @@ -0,0 +1,60 @@ +From bf2ea6d8525bfd96a84dad221ba9e004adb710a8 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= +Date: Thu, 8 Sep 2022 11:11:30 +0200 +Subject: [PATCH] Bound the amount of work performed for delegations + +Limit the amount of database lookups that can be triggered in +fctx_getaddresses() (i.e. when determining the name server addresses to +query next) by setting a hard limit on the number of NS RRs processed +for any delegation encountered. Without any limit in place, named can +be forced to perform large amounts of database lookups per each query +received, which severely impacts resolver performance. + +The limit used (20) is an arbitrary value that is considered to be big +enough for any sane DNS delegation. + +(cherry picked from commit 3a44097fd6c6c260765b628cd1d2c9cb7efb0b2a) +--- + lib/dns/resolver.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c +index d2cf14bbc8..73a0ee9f77 100644 +--- a/lib/dns/resolver.c ++++ b/lib/dns/resolver.c +@@ -195,6 +195,12 @@ + */ + #define NS_FAIL_LIMIT 4 + #define NS_RR_LIMIT 5 ++/* ++ * IP address lookups are performed for at most NS_PROCESSING_LIMIT NS RRs in ++ * any NS RRset encountered, to avoid excessive resource use while processing ++ * large delegations. ++ */ ++#define NS_PROCESSING_LIMIT 20 + + /* Number of hash buckets for zone counters */ + #ifndef RES_DOMAIN_BUCKETS +@@ -3711,6 +3717,7 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) { + bool need_alternate = false; + bool all_spilled = true; + unsigned int no_addresses = 0; ++ unsigned int ns_processed = 0; + + FCTXTRACE5("getaddresses", "fctx->depth=", fctx->depth); + +@@ -3902,6 +3909,11 @@ normal_nses: + + dns_rdata_reset(&rdata); + dns_rdata_freestruct(&ns); ++ ++ if (++ns_processed >= NS_PROCESSING_LIMIT) { ++ result = ISC_R_NOMORE; ++ break; ++ } + } + if (result != ISC_R_NOMORE) { + return (result); +-- +2.37.3 + diff --git a/bind-9.16-CVE-2022-3080.patch b/bind-9.16-CVE-2022-3080.patch new file mode 100644 index 0000000..998ddf4 --- /dev/null +++ b/bind-9.16-CVE-2022-3080.patch @@ -0,0 +1,116 @@ +From 3bcd32572504ac9b92e3c6ec1e2cee3df3b68309 Mon Sep 17 00:00:00 2001 +From: Petr Mensik +Date: Tue, 20 Sep 2022 11:34:42 +0200 +Subject: [PATCH 2/4] Fix CVE-2022-3080 + +5960. [security] Fix serve-stale crash that could happen when + stale-answer-client-timeout was set to 0 and there was + a stale CNAME in the cache for an incoming query. + (CVE-2022-3080) [GL #3517] +--- + lib/ns/include/ns/query.h | 1 + + lib/ns/query.c | 42 ++++++++++++++++++++++++--------------- + 2 files changed, 27 insertions(+), 16 deletions(-) + +diff --git a/lib/ns/include/ns/query.h b/lib/ns/include/ns/query.h +index 4d48cf6..34b3070 100644 +--- a/lib/ns/include/ns/query.h ++++ b/lib/ns/include/ns/query.h +@@ -145,6 +145,7 @@ struct query_ctx { + bool authoritative; /* authoritative query? */ + bool want_restart; /* CNAME chain or other + * restart needed */ ++ bool refresh_rrset; /* stale RRset refresh needed */ + bool need_wildcardproof; /* wildcard proof needed */ + bool nxrewrite; /* negative answer from RPZ */ + bool findcoveringnsec; /* lookup covering NSEC */ +diff --git a/lib/ns/query.c b/lib/ns/query.c +index 249321c..a450cb7 100644 +--- a/lib/ns/query.c ++++ b/lib/ns/query.c +@@ -5686,7 +5686,6 @@ query_lookup(query_ctx_t *qctx) { + bool dbfind_stale = false; + bool stale_timeout = false; + bool stale_found = false; +- bool refresh_rrset = false; + bool stale_refresh_window = false; + + CCTRACE(ISC_LOG_DEBUG(3), "query_lookup"); +@@ -5868,8 +5867,7 @@ query_lookup(query_ctx_t *qctx) { + "%s stale answer used, an attempt to " + "refresh the RRset will still be made", + namebuf); +- refresh_rrset = STALE(qctx->rdataset); +- qctx->client->nodetach = refresh_rrset; ++ qctx->refresh_rrset = STALE(qctx->rdataset); + } + } else { + /* +@@ -5907,17 +5905,6 @@ query_lookup(query_ctx_t *qctx) { + + result = query_gotanswer(qctx, result); + +- if (refresh_rrset) { +- /* +- * If we reached this point then it means that we have found a +- * stale RRset entry in cache and BIND is configured to allow +- * queries to be answered with stale data if no active RRset +- * is available, i.e. "stale-anwer-client-timeout 0". But, we +- * still need to refresh the RRset. +- */ +- query_refresh_rrset(qctx); +- } +- + cleanup: + return (result); + } +@@ -7737,11 +7724,14 @@ query_addanswer(query_ctx_t *qctx) { + + /* + * On normal lookups, clear any rdatasets that were added on a +- * lookup due to stale-answer-client-timeout. ++ * lookup due to stale-answer-client-timeout. Do not clear if we ++ * are going to refresh the RRset, because the stale contents are ++ * prioritized. + */ + if (QUERY_STALEOK(&qctx->client->query) && +- !QUERY_STALETIMEOUT(&qctx->client->query)) ++ !QUERY_STALETIMEOUT(&qctx->client->query) && !qctx->refresh_rrset) + { ++ CCTRACE(ISC_LOG_DEBUG(3), "query_clear_stale"); + query_clear_stale(qctx->client); + /* + * We can clear the attribute to prevent redundant clearing +@@ -11457,9 +11447,29 @@ ns_query_done(query_ctx_t *qctx) { + /* + * Client may have been detached after query_send(), so + * we test and store the flag state here, for safety. ++ * If we are refreshing the RRSet, we must not detach from the client ++ * in the query_send(), so we need to override the flag. + */ ++ if (qctx->refresh_rrset) { ++ qctx->client->nodetach = true; ++ } + nodetach = qctx->client->nodetach; + query_send(qctx->client); ++ ++ if (qctx->refresh_rrset) { ++ /* ++ * If we reached this point then it means that we have found a ++ * stale RRset entry in cache and BIND is configured to allow ++ * queries to be answered with stale data if no active RRset ++ * is available, i.e. "stale-anwer-client-timeout 0". But, we ++ * still need to refresh the RRset. To prevent adding duplicate ++ * RRsets, clear the RRsets from the message before doing the ++ * refresh. ++ */ ++ message_clearrdataset(qctx->client->message, 0); ++ query_refresh_rrset(qctx); ++ } ++ + if (!nodetach) { + qctx->detach_client = true; + } +-- +2.37.3 + diff --git a/bind-9.16-CVE-2022-3094-1.patch b/bind-9.16-CVE-2022-3094-1.patch new file mode 100644 index 0000000..53f6629 --- /dev/null +++ b/bind-9.16-CVE-2022-3094-1.patch @@ -0,0 +1,241 @@ +From 0c0dc08d3ef26b7411cfe089e8144454831e8af5 Mon Sep 17 00:00:00 2001 +From: Evan Hunt +Date: Thu, 1 Sep 2022 16:05:04 -0700 +Subject: [PATCH] add an update quota + +limit the number of simultaneous DNS UPDATE events that can be +processed by adding a quota for update and update forwarding. +this quota currently, arbitrarily, defaults to 100. + +also add a statistics counter to record when the update quota +has been exceeded. + +(cherry picked from commit 7c47254a140c3e9cf383cda73c7b6a55c4782826) +--- + bin/named/bind9.xsl | 4 +++- + bin/named/bind9.xsl.h | 6 +++++- + bin/named/statschannel.c | 5 +++-- + doc/arm/reference.rst | 5 +++++ + lib/ns/include/ns/server.h | 1 + + lib/ns/include/ns/stats.h | 4 +++- + lib/ns/server.c | 2 ++ + lib/ns/update.c | 38 +++++++++++++++++++++++++++++++++++++- + 8 files changed, 59 insertions(+), 6 deletions(-) + +diff --git a/bin/named/bind9.xsl b/bin/named/bind9.xsl +index 5078115..194625b 100644 +--- a/bin/named/bind9.xsl ++++ b/bin/named/bind9.xsl +@@ -12,7 +12,9 @@ + + + +- ++ ++ ++ + + + +diff --git a/bin/named/bind9.xsl.h b/bin/named/bind9.xsl.h +index e30f7f5..b182742 100644 +--- a/bin/named/bind9.xsl.h ++++ b/bin/named/bind9.xsl.h +@@ -20,7 +20,11 @@ static char xslmsg[] = + "\n" + " \n" +- " \n" ++ " \n" ++ " \n" ++ " \n" + " \n" + " \n" + "