From 93f9fd3884fd5f845789a758d05fec69f000b103 Mon Sep 17 00:00:00 2001 From: Johnny Hughes Date: Wed, 2 Oct 2024 16:18:55 +0000 Subject: [PATCH] bind9.16 package is retired on branch c10s for CS-2551 --- .gitignore | 2 - README.md | 3 + bind-9.10-dist-native-pkcs11.patch | 550 ------------- bind-9.11-feature-test-named.patch | 70 -- bind-9.11-fips-tests.patch | 959 ---------------------- bind-9.11-kyua-pkcs11.patch | 58 -- bind-9.11-rh1666814.patch | 29 - bind-9.11-tests-variants.patch | 65 -- bind-9.14-config-pkcs11.patch | 83 -- bind-9.16-CVE-2021-25220-test.patch | 1144 --------------------------- bind-9.16-CVE-2021-25220.patch | 251 ------ bind-9.16-CVE-2022-0396.patch | 81 -- bind-9.16-CVE-2022-2795.patch | 60 -- bind-9.16-CVE-2022-3080.patch | 116 --- bind-9.16-CVE-2022-3094-1.patch | 240 ------ bind-9.16-CVE-2022-3094-2.patch | 266 ------- bind-9.16-CVE-2022-3094-3.patch | 470 ----------- bind-9.16-CVE-2022-3094-test.patch | 272 ------- bind-9.16-CVE-2022-3736.patch | 53 -- bind-9.16-CVE-2022-38177.patch | 27 - bind-9.16-CVE-2022-38178.patch | 32 - dead.package | 1 + 22 files changed, 4 insertions(+), 4828 deletions(-) delete mode 100644 .gitignore create mode 100644 README.md delete mode 100644 bind-9.10-dist-native-pkcs11.patch delete mode 100644 bind-9.11-feature-test-named.patch delete mode 100644 bind-9.11-fips-tests.patch delete mode 100644 bind-9.11-kyua-pkcs11.patch delete mode 100644 bind-9.11-rh1666814.patch delete mode 100644 bind-9.11-tests-variants.patch delete mode 100644 bind-9.14-config-pkcs11.patch delete mode 100644 bind-9.16-CVE-2021-25220-test.patch delete mode 100644 bind-9.16-CVE-2021-25220.patch delete mode 100644 bind-9.16-CVE-2022-0396.patch delete mode 100644 bind-9.16-CVE-2022-2795.patch delete mode 100644 bind-9.16-CVE-2022-3080.patch delete mode 100644 bind-9.16-CVE-2022-3094-1.patch delete mode 100644 bind-9.16-CVE-2022-3094-2.patch delete mode 100644 bind-9.16-CVE-2022-3094-3.patch delete mode 100644 bind-9.16-CVE-2022-3094-test.patch delete mode 100644 bind-9.16-CVE-2022-3736.patch delete mode 100644 bind-9.16-CVE-2022-38177.patch delete mode 100644 bind-9.16-CVE-2022-38178.patch create mode 100644 dead.package diff --git a/.gitignore b/.gitignore deleted file mode 100644 index e513f62..0000000 --- a/.gitignore +++ /dev/null @@ -1,2 +0,0 @@ -SOURCES/bind-9.16.23.tar.xz -/bind-9.16.23.tar.xz diff --git a/README.md b/README.md new file mode 100644 index 0000000..24b9ea2 --- /dev/null +++ b/README.md @@ -0,0 +1,3 @@ +# Package Not Available +This package is not available on CentOS Stream 10. +It may be available on another branch. \ No newline at end of file diff --git a/bind-9.10-dist-native-pkcs11.patch b/bind-9.10-dist-native-pkcs11.patch deleted file mode 100644 index 85ece30..0000000 --- a/bind-9.10-dist-native-pkcs11.patch +++ /dev/null @@ -1,550 +0,0 @@ -From 040227009453b3f0aa7914c7a6a94dc57ad5269b Mon Sep 17 00:00:00 2001 -From: Petr Mensik -Date: Thu, 21 Jan 2021 10:46:20 +0100 -Subject: [PATCH] Enable custom pkcs11 native build - -Share common parts like libisc, libcc and others. But provide native -pkcs11 libraries as a new copy of libdns and libns. ---- - bin/Makefile.in | 2 +- - bin/confgen/Makefile.in | 2 +- - bin/dnssec-pkcs11/Makefile.in | 39 +++++++++++++++++--------------- - bin/named-pkcs11/Makefile.in | 33 ++++++++++++++------------- - configure.ac | 19 ++++++++++++++++ - lib/Makefile.in | 2 +- - lib/dns-pkcs11/Makefile.in | 22 +++++++++--------- - lib/dns-pkcs11/tests/Makefile.in | 8 +++---- - lib/ns-pkcs11/Makefile.in | 26 ++++++++++----------- - lib/ns-pkcs11/tests/Makefile.in | 12 +++++----- - make/includes.in | 7 ++++++ - 11 files changed, 101 insertions(+), 71 deletions(-) - -diff --git a/bin/Makefile.in b/bin/Makefile.in -index 9ad7f62..094775a 100644 ---- a/bin/Makefile.in -+++ b/bin/Makefile.in -@@ -11,7 +11,7 @@ srcdir = @srcdir@ - VPATH = @srcdir@ - top_srcdir = @top_srcdir@ - --SUBDIRS = named rndc dig delv dnssec tools nsupdate check confgen \ -+SUBDIRS = named named-pkcs11 rndc dig delv dnssec dnssec-pkcs11 tools nsupdate check confgen \ - @NZD_TOOLS@ @PYTHON_TOOLS@ @PKCS11_TOOLS@ plugins tests - TARGETS = - -diff --git a/bin/confgen/Makefile.in b/bin/confgen/Makefile.in -index c126bf3..1b7512d 100644 ---- a/bin/confgen/Makefile.in -+++ b/bin/confgen/Makefile.in -@@ -22,7 +22,7 @@ VERSION=@BIND9_VERSION@ - CINCLUDES = -I${srcdir}/include ${ISC_INCLUDES} ${ISCCC_INCLUDES} \ - ${ISCCFG_INCLUDES} ${DNS_INCLUDES} ${BIND9_INCLUDES} - --CDEFINES = @USE_PKCS11@ -+CDEFINES = - CWARNINGS = - - ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@ -diff --git a/bin/dnssec-pkcs11/Makefile.in b/bin/dnssec-pkcs11/Makefile.in -index ace0e5a..e0f6a00 100644 ---- a/bin/dnssec-pkcs11/Makefile.in -+++ b/bin/dnssec-pkcs11/Makefile.in -@@ -15,18 +15,18 @@ VERSION=@BIND9_VERSION@ - - @BIND9_MAKE_INCLUDES@ - --CINCLUDES = ${DNS_INCLUDES} ${ISC_INCLUDES} ${ISCCFG_INCLUDES} \ -+CINCLUDES = ${DNS_PKCS11_INCLUDES} ${ISC_INCLUDES} ${ISCCFG_INCLUDES} \ - ${OPENSSL_CFLAGS} - --CDEFINES = -DVERSION=\"${VERSION}\" -DNAMED_CONFFILE=\"${sysconfdir}/named.conf\" -+CDEFINES = -DVERSION=\"${VERSION}\" -DNAMED_CONFFILE=\"${sysconfdir}/named.conf\" -DUSE_PKCS11=1 - CWARNINGS = - --DNSLIBS = ../../lib/dns/libdns.@A@ @NO_LIBTOOL_DNSLIBS@ -+DNSLIBS = ../../lib/dns-pkcs11/libdns-pkcs11.@A@ @NO_LIBTOOL_DNSLIBS@ - ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@ - ISCLIBS = ../../lib/isc/libisc.@A@ @NO_LIBTOOL_ISCLIBS@ - ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@ @NO_LIBTOOL_ISCLIBS@ - --DNSDEPLIBS = ../../lib/dns/libdns.@A@ -+DNSDEPLIBS = ../../lib/dns-pkcs11/libdns-pkcs11.@A@ - ISCDEPLIBS = ../../lib/isc/libisc.@A@ - ISCCFGDEPLIBS = ../../lib/isccfg/libisccfg.@A@ - -@@ -36,12 +36,15 @@ LIBS = ${DNSLIBS} ${ISCCFGLIBS} ${ISCLIBS} @LIBS@ - - NOSYMLIBS = ${DNSLIBS} ${ISCCFGLIBS} ${ISCNOSYMLIBS} @LIBS@ - -+# Add suffix to all targets -+EXEEXT = -pkcs11@EXEEXT@ -+ - # Alphabetically --TARGETS = dnssec-cds@EXEEXT@ dnssec-dsfromkey@EXEEXT@ \ -- dnssec-importkey@EXEEXT@ dnssec-keyfromlabel@EXEEXT@ \ -- dnssec-keygen@EXEEXT@ dnssec-revoke@EXEEXT@ \ -- dnssec-settime@EXEEXT@ dnssec-signzone@EXEEXT@ \ -- dnssec-verify@EXEEXT@ -+TARGETS = dnssec-cds${EXEEXT} dnssec-dsfromkey${EXEEXT} \ -+ dnssec-importkey${EXEEXT} dnssec-keyfromlabel${EXEEXT} \ -+ dnssec-keygen${EXEEXT} dnssec-revoke${EXEEXT} \ -+ dnssec-settime${EXEEXT} dnssec-signzone${EXEEXT} \ -+ dnssec-verify${EXEEXT} - - OBJS = dnssectool.@O@ - -@@ -52,19 +55,19 @@ SRCS = dnssec-cds.c dnssec-dsfromkey.c dnssec-importkey.c \ - - @BIND9_MAKE_RULES@ - --dnssec-cds@EXEEXT@: dnssec-cds.@O@ ${OBJS} ${DEPLIBS} -+dnssec-cds-pkcs11@EXEEXT@: dnssec-cds.@O@ ${OBJS} ${DEPLIBS} - export BASEOBJS="dnssec-cds.@O@ ${OBJS}"; \ - ${FINALBUILDCMD} - --dnssec-dsfromkey@EXEEXT@: dnssec-dsfromkey.@O@ ${OBJS} ${DEPLIBS} -+dnssec-dsfromkey-pkcs11@EXEEXT@: dnssec-dsfromkey.@O@ ${OBJS} ${DEPLIBS} - export BASEOBJS="dnssec-dsfromkey.@O@ ${OBJS}"; \ - ${FINALBUILDCMD} - --dnssec-keyfromlabel@EXEEXT@: dnssec-keyfromlabel.@O@ ${OBJS} ${DEPLIBS} -+dnssec-keyfromlabel-pkcs11@EXEEXT@: dnssec-keyfromlabel.@O@ ${OBJS} ${DEPLIBS} - export BASEOBJS="dnssec-keyfromlabel.@O@ ${OBJS}"; \ - ${FINALBUILDCMD} - --dnssec-keygen@EXEEXT@: dnssec-keygen.@O@ ${OBJS} ${DEPLIBS} -+dnssec-keygen-pkcs11@EXEEXT@: dnssec-keygen.@O@ ${OBJS} ${DEPLIBS} - export BASEOBJS="dnssec-keygen.@O@ ${OBJS}"; \ - ${FINALBUILDCMD} - -@@ -72,7 +75,7 @@ dnssec-signzone.@O@: dnssec-signzone.c - ${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -DVERSION=\"${VERSION}\" \ - -c ${srcdir}/dnssec-signzone.c - --dnssec-signzone@EXEEXT@: dnssec-signzone.@O@ ${OBJS} ${DEPLIBS} -+dnssec-signzone-pkcs11@EXEEXT@: dnssec-signzone.@O@ ${OBJS} ${DEPLIBS} - export BASEOBJS="dnssec-signzone.@O@ ${OBJS}"; \ - ${FINALBUILDCMD} - -@@ -80,19 +83,19 @@ dnssec-verify.@O@: dnssec-verify.c - ${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -DVERSION=\"${VERSION}\" \ - -c ${srcdir}/dnssec-verify.c - --dnssec-verify@EXEEXT@: dnssec-verify.@O@ ${OBJS} ${DEPLIBS} -+dnssec-verify-pkcs11@EXEEXT@: dnssec-verify.@O@ ${OBJS} ${DEPLIBS} - export BASEOBJS="dnssec-verify.@O@ ${OBJS}"; \ - ${FINALBUILDCMD} - --dnssec-revoke@EXEEXT@: dnssec-revoke.@O@ ${OBJS} ${DEPLIBS} -+dnssec-revoke-pkcs11@EXEEXT@: dnssec-revoke.@O@ ${OBJS} ${DEPLIBS} - ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \ - dnssec-revoke.@O@ ${OBJS} ${LIBS} - --dnssec-settime@EXEEXT@: dnssec-settime.@O@ ${OBJS} ${DEPLIBS} -+dnssec-settime-pkcs11@EXEEXT@: dnssec-settime.@O@ ${OBJS} ${DEPLIBS} - ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \ - dnssec-settime.@O@ ${OBJS} ${LIBS} - --dnssec-importkey@EXEEXT@: dnssec-importkey.@O@ ${OBJS} ${DEPLIBS} -+dnssec-importkey-pkcs11@EXEEXT@: dnssec-importkey.@O@ ${OBJS} ${DEPLIBS} - ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \ - dnssec-importkey.@O@ ${OBJS} ${LIBS} - -diff --git a/bin/named-pkcs11/Makefile.in b/bin/named-pkcs11/Makefile.in -index 98125dd..518a75f 100644 ---- a/bin/named-pkcs11/Makefile.in -+++ b/bin/named-pkcs11/Makefile.in -@@ -37,13 +37,14 @@ DBDRIVER_LIBS = - - DLZ_DRIVER_DIR = ${top_srcdir}/contrib/dlz/drivers - --DLZDRIVER_OBJS = @DLZ_DRIVER_OBJS@ --DLZDRIVER_SRCS = @DLZ_DRIVER_SRCS@ --DLZDRIVER_INCLUDES = @DLZ_DRIVER_INCLUDES@ --DLZDRIVER_LIBS = @DLZ_DRIVER_LIBS@ -+# Skip building on PKCS11 variant -+DLZDRIVER_OBJS = -+DLZDRIVER_SRCS = -+DLZDRIVER_INCLUDES = -+DLZDRIVER_LIBS = - - CINCLUDES = -I${srcdir}/include -I${srcdir}/unix/include -I. \ -- ${NS_INCLUDES} ${DNS_INCLUDES} \ -+ ${NS_PKCS11_INCLUDES} ${DNS_PKCS11_INCLUDES} \ - ${BIND9_INCLUDES} ${ISCCFG_INCLUDES} ${ISCCC_INCLUDES} \ - ${ISC_INCLUDES} ${DLZDRIVER_INCLUDES} \ - ${DBDRIVER_INCLUDES} \ -@@ -56,24 +57,24 @@ CINCLUDES = -I${srcdir}/include -I${srcdir}/unix/include -I. \ - ${LIBXML2_CFLAGS} \ - ${MAXMINDDB_CFLAGS} - --CDEFINES = @CONTRIB_DLZ@ -+CDEFINES = - - CWARNINGS = - --DNSLIBS = ../../lib/dns/libdns.@A@ @NO_LIBTOOL_DNSLIBS@ -+DNSLIBS = ../../lib/dns-pkcs11/libdns-pkcs11.@A@ @NO_LIBTOOL_DNSLIBS@ - ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@ - ISCCCLIBS = ../../lib/isccc/libisccc.@A@ - ISCLIBS = ../../lib/isc/libisc.@A@ @NO_LIBTOOL_ISCLIBS@ - ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@ @NO_LIBTOOL_ISCLIBS@ - BIND9LIBS = ../../lib/bind9/libbind9.@A@ --NSLIBS = ../../lib/ns/libns.@A@ -+NSLIBS = ../../lib/ns-pkcs11/libns-pkcs11.@A@ - --DNSDEPLIBS = ../../lib/dns/libdns.@A@ -+DNSDEPLIBS = ../../lib/dns-pkcs11/libdns-pkcs11.@A@ - ISCCFGDEPLIBS = ../../lib/isccfg/libisccfg.@A@ - ISCCCDEPLIBS = ../../lib/isccc/libisccc.@A@ - ISCDEPLIBS = ../../lib/isc/libisc.@A@ - BIND9DEPLIBS = ../../lib/bind9/libbind9.@A@ --NSDEPLIBS = ../../lib/ns/libns.@A@ -+NSDEPLIBS = ../../lib/ns-pkcs11/libns-pkcs11.@A@ - - DEPLIBS = ${NSDEPLIBS} ${DNSDEPLIBS} ${BIND9DEPLIBS} \ - ${ISCCFGDEPLIBS} ${ISCCCDEPLIBS} ${ISCDEPLIBS} -@@ -93,7 +94,7 @@ NOSYMLIBS = ${NSLIBS} ${DNSLIBS} ${BIND9LIBS} \ - - SUBDIRS = unix - --TARGETS = named@EXEEXT@ feature-test@EXEEXT@ -+TARGETS = named-pkcs11@EXEEXT@ feature-test-pkcs11@EXEEXT@ - - GEOIP2LINKOBJS = geoip.@O@ - -@@ -151,7 +152,7 @@ server.@O@: server.c - -DPRODUCT=\"${PRODUCT}\" \ - -DVERSION=\"${VERSION}\" -c ${srcdir}/server.c - --named@EXEEXT@: ${OBJS} ${DEPLIBS} -+named-pkcs11@EXEEXT@: ${OBJS} ${DEPLIBS} - export MAKE_SYMTABLE="yes"; \ - export BASEOBJS="${OBJS} ${UOBJS}"; \ - ${FINALBUILDCMD} -@@ -161,7 +162,7 @@ feature-test.@O@: ${top_srcdir}/bin/tests/system/feature-test.c - ${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \ - -c ${top_srcdir}/bin/tests/system/feature-test.c - --feature-test@EXEEXT@: feature-test.@O@ -+feature-test-pkcs11@EXEEXT@: feature-test.@O@ - ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} \ - -o $@ feature-test.@O@ ${ISCLIBS} ${LIBS} - -@@ -180,11 +181,11 @@ statschannel.@O@: bind9.xsl.h - installdirs: - $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir} - --install:: named@EXEEXT@ installdirs -- ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named@EXEEXT@ ${DESTDIR}${sbindir} -+install:: named-pkcs11@EXEEXT@ installdirs -+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named-pkcs11@EXEEXT@ ${DESTDIR}${sbindir} - - uninstall:: -- ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/named@EXEEXT@ -+ ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/named-pkcs11@EXEEXT@ - - @DLZ_DRIVER_RULES@ - -diff --git a/configure.ac b/configure.ac -index 032228b..64e3da0 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -1251,12 +1251,14 @@ AC_SUBST(USE_GSSAPI) - AC_SUBST(DST_GSSAPI_INC) - AC_SUBST(DNS_GSSAPI_LIBS) - DNS_CRYPTO_LIBS="$DNS_GSSAPI_LIBS" -+DNS_CRYPTO_PK11_LIBS="$DNS_GSSAPI_LIBS $DNS_CRYPTO_PK11_LIBS" - - # - # Applications linking with libdns also need to link with these libraries. - # - - AC_SUBST(DNS_CRYPTO_LIBS) -+AC_SUBST(DNS_CRYPTO_PK11_LIBS) - - # - # was --with-lmdb specified? -@@ -2327,6 +2329,8 @@ AC_SUBST(BIND9_DNS_BUILDINCLUDE) - AC_SUBST(BIND9_NS_BUILDINCLUDE) - AC_SUBST(BIND9_BIND9_BUILDINCLUDE) - AC_SUBST(BIND9_IRS_BUILDINCLUDE) -+AC_SUBST(BIND9_DNS_PKCS11_BUILDINCLUDE) -+AC_SUBST(BIND9_NS_PKCS11_BUILDINCLUDE) - if test "X$srcdir" != "X"; then - BIND9_ISC_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/isc/include" - BIND9_ISCCC_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/isccc/include" -@@ -2335,6 +2339,8 @@ if test "X$srcdir" != "X"; then - BIND9_NS_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/ns/include" - BIND9_BIND9_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/bind9/include" - BIND9_IRS_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/irs/include" -+ BIND9_DNS_PKCS11_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/dns-pkcs11/include" -+ BIND9_NS_PKCS11_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/ns-pkcs11/include" - else - BIND9_ISC_BUILDINCLUDE="" - BIND9_ISCCC_BUILDINCLUDE="" -@@ -2343,6 +2349,8 @@ else - BIND9_NS_BUILDINCLUDE="" - BIND9_BIND9_BUILDINCLUDE="" - BIND9_IRS_BUILDINCLUDE="" -+ BIND9_DNS_PKCS11_BUILDINCLUDE="" -+ BIND9_NS_PKCS11_BUILDINCLUDE="" - fi - - AC_SUBST_FILE(BIND9_MAKE_INCLUDES) -@@ -2798,8 +2806,11 @@ AC_CONFIG_FILES([ - bin/delv/Makefile - bin/dig/Makefile - bin/dnssec/Makefile -+ bin/dnssec-pkcs11/Makefile - bin/named/Makefile - bin/named/unix/Makefile -+ bin/named-pkcs11/Makefile -+ bin/named-pkcs11/unix/Makefile - bin/nsupdate/Makefile - bin/pkcs11/Makefile - bin/plugins/Makefile -@@ -2861,6 +2872,10 @@ AC_CONFIG_FILES([ - lib/dns/include/dns/Makefile - lib/dns/include/dst/Makefile - lib/dns/tests/Makefile -+ lib/dns-pkcs11/Makefile -+ lib/dns-pkcs11/include/Makefile -+ lib/dns-pkcs11/include/dns/Makefile -+ lib/dns-pkcs11/include/dst/Makefile - lib/irs/Makefile - lib/irs/include/Makefile - lib/irs/include/irs/Makefile -@@ -2893,6 +2908,10 @@ AC_CONFIG_FILES([ - lib/ns/include/Makefile - lib/ns/include/ns/Makefile - lib/ns/tests/Makefile -+ lib/ns-pkcs11/Makefile -+ lib/ns-pkcs11/include/Makefile -+ lib/ns-pkcs11/include/ns/Makefile -+ lib/ns-pkcs11/tests/Makefile - make/Makefile - make/mkdep - unit/unittest.sh -diff --git a/lib/Makefile.in b/lib/Makefile.in -index 833964e..058ba2f 100644 ---- a/lib/Makefile.in -+++ b/lib/Makefile.in -@@ -15,7 +15,7 @@ top_srcdir = @top_srcdir@ - # Attempt to disable parallel processing. - .NOTPARALLEL: - .NO_PARALLEL: --SUBDIRS = isc isccc dns ns isccfg bind9 irs -+SUBDIRS = isc isccc dns dns-pkcs11 ns ns-pkcs11 isccfg bind9 irs - TARGETS = - - @BIND9_MAKE_RULES@ -diff --git a/lib/dns-pkcs11/Makefile.in b/lib/dns-pkcs11/Makefile.in -index 58bda3c..d6a45df 100644 ---- a/lib/dns-pkcs11/Makefile.in -+++ b/lib/dns-pkcs11/Makefile.in -@@ -22,7 +22,7 @@ VERSION=@BIND9_VERSION@ - - @BIND9_MAKE_INCLUDES@ - --CINCLUDES = -I. -I${top_srcdir}/lib/dns -Iinclude ${DNS_INCLUDES} \ -+CINCLUDES = -I. -I${top_srcdir}/lib/dns-pkcs11 -Iinclude ${DNS_PKCS11_INCLUDES} \ - ${ISC_INCLUDES} \ - ${FSTRM_CFLAGS} \ - ${OPENSSL_CFLAGS} @DST_GSSAPI_INC@ \ -@@ -32,7 +32,7 @@ CINCLUDES = -I. -I${top_srcdir}/lib/dns -Iinclude ${DNS_INCLUDES} \ - ${LMDB_CFLAGS} \ - ${MAXMINDDB_CFLAGS} - --CDEFINES = @USE_GSSAPI@ -+CDEFINES = @USE_GSSAPI@ @USE_PKCS11@ - - CWARNINGS = - -@@ -135,15 +135,15 @@ version.@O@: version.c - -DMAPAPI=\"${MAPAPI}\" \ - -c ${srcdir}/version.c - --libdns.@SA@: ${OBJS} -+libdns-pkcs11.@SA@: ${OBJS} - ${AR} ${ARFLAGS} $@ ${OBJS} - ${RANLIB} $@ - --libdns.la: ${OBJS} -+libdns-pkcs11.la: ${OBJS} - ${LIBTOOL_MODE_LINK} \ -- ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libdns.la -rpath ${libdir} \ -+ ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libdns-pkcs11.la -rpath ${libdir} \ - -release "${VERSION}" \ -- ${OBJS} ${ISCLIBS} @DNS_CRYPTO_LIBS@ ${LIBS} -+ ${OBJS} ${ISCLIBS} @DNS_CRYPTO_PK11_LIBS@ ${LIBS} - - include: gen - ${MAKE} include/dns/enumtype.h -@@ -174,22 +174,22 @@ gen: gen.c - ${BUILD_CPPFLAGS} ${BUILD_LDFLAGS} -o $@ ${srcdir}/gen.c \ - ${BUILD_LIBS} ${LFS_LIBS} - --timestamp: include libdns.@A@ -+timestamp: include libdns-pkcs11.@A@ - touch timestamp - --testdirs: libdns.@A@ -+testdirs: libdns-pkcs11.@A@ - - installdirs: - $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${libdir} - - install:: timestamp installdirs -- ${LIBTOOL_MODE_INSTALL} ${INSTALL_LIBRARY} libdns.@A@ ${DESTDIR}${libdir} -+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_LIBRARY} libdns-pkcs11.@A@ ${DESTDIR}${libdir} - - uninstall:: -- ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${libdir}/libdns.@A@ -+ ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${libdir}/libdns-pkcs11.@A@ - - clean distclean:: -- rm -f libdns.@A@ timestamp -+ rm -f libdns-pkcs11.@A@ timestamp - rm -f gen code.h include/dns/enumtype.h include/dns/enumclass.h - rm -f include/dns/rdatastruct.h - rm -f dnstap.pb-c.c dnstap.pb-c.h -diff --git a/lib/dns-pkcs11/tests/Makefile.in b/lib/dns-pkcs11/tests/Makefile.in -index 3bb5e01..c96fe7d 100644 ---- a/lib/dns-pkcs11/tests/Makefile.in -+++ b/lib/dns-pkcs11/tests/Makefile.in -@@ -15,15 +15,15 @@ VERSION=@BIND9_VERSION@ - - @BIND9_MAKE_INCLUDES@ - --CINCLUDES = -I. -Iinclude ${DNS_INCLUDES} ${ISC_INCLUDES} \ -+CINCLUDES = -I. -Iinclude ${DNS_PKCS11_INCLUDES} ${ISC_INCLUDES} \ - ${FSTRM_CFLAGS} ${OPENSSL_CFLAGS} \ - ${PROTOBUF_C_CFLAGS} ${MAXMINDDB_CFLAGS} @CMOCKA_CFLAGS@ --CDEFINES = -DTESTS="\"${top_builddir}/lib/dns/tests/\"" -+CDEFINES = @USE_PKCS11@ -DTESTS="\"${top_builddir}/lib/dns-pkcs11/tests/\"" - - ISCLIBS = ../../isc/libisc.@A@ @NO_LIBTOOL_ISCLIBS@ - ISCDEPLIBS = ../../isc/libisc.@A@ --DNSLIBS = ../libdns.@A@ @NO_LIBTOOL_DNSLIBS@ --DNSDEPLIBS = ../libdns.@A@ -+DNSLIBS = ../libdns-pkcs11.@A@ @NO_LIBTOOL_DNSLIBS@ -+DNSDEPLIBS = ../libdns-pkcs11.@A@ - - LIBS = @LIBS@ @CMOCKA_LIBS@ - -diff --git a/lib/ns-pkcs11/Makefile.in b/lib/ns-pkcs11/Makefile.in -index bc683ce..7a9d2f2 100644 ---- a/lib/ns-pkcs11/Makefile.in -+++ b/lib/ns-pkcs11/Makefile.in -@@ -16,12 +16,12 @@ VERSION=@BIND9_VERSION@ - - @BIND9_MAKE_INCLUDES@ - --CINCLUDES = -I. -I${top_srcdir}/lib/ns -Iinclude \ -- ${NS_INCLUDES} ${DNS_INCLUDES} ${ISC_INCLUDES} \ -+CINCLUDES = -I. -I${top_srcdir}/lib/ns-pkcs11 -Iinclude \ -+ ${NS_PKCS11_INCLUDES} ${DNS_PKCS11_INCLUDES} ${ISC_INCLUDES} \ - ${OPENSSL_CFLAGS} @DST_GSSAPI_INC@ \ - ${FSTRM_CFLAGS} - --CDEFINES = -DNAMED_PLUGINDIR=\"${plugindir}\" -+CDEFINES = @USE_PKCS11@ -DNAMED_PLUGINDIR=\"${plugindir}\" - - CWARNINGS = - -@@ -29,9 +29,9 @@ ISCLIBS = ../../lib/isc/libisc.@A@ - - ISCDEPLIBS = ../../lib/isc/libisc.@A@ - --DNSLIBS = ../../lib/dns/libdns.@A@ @NO_LIBTOOL_DNSLIBS@ -+DNSLIBS = ../../lib/dns-pkcs11/libdns-pkcs11.@A@ @NO_LIBTOOL_DNSLIBS@ - --DNSDEPLIBS = ../../lib/dns/libdns.@A@ -+DNSDEPLIBS = ../../lib/dns-pkcs11/libdns-pkcs11.@A@ - - LIBS = @LIBS@ - -@@ -60,28 +60,28 @@ version.@O@: version.c - -DMAJOR=\"${MAJOR}\" \ - -c ${srcdir}/version.c - --libns.@SA@: ${OBJS} -+libns-pkcs11.@SA@: ${OBJS} - ${AR} ${ARFLAGS} $@ ${OBJS} - ${RANLIB} $@ - --libns.la: ${OBJS} -+libns-pkcs11.la: ${OBJS} - ${LIBTOOL_MODE_LINK} \ -- ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libns.la -rpath ${libdir} \ -+ ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libns-pkcs11.la -rpath ${libdir} \ - -release "${VERSION}" \ -- ${OBJS} ${ISCLIBS} ${DNSLIBS} @DNS_CRYPTO_LIBS@ ${LIBS} -+ ${OBJS} ${ISCLIBS} ${DNSLIBS} @DNS_CRYPTO_PK11_LIBS@ ${LIBS} - --timestamp: libns.@A@ -+timestamp: libns-pkcs11.@A@ - touch timestamp - - installdirs: - $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${libdir} - - install:: timestamp installdirs -- ${LIBTOOL_MODE_INSTALL} ${INSTALL_LIBRARY} libns.@A@ \ -+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_LIBRARY} libns-pkcs11.@A@ \ - ${DESTDIR}${libdir} - - uninstall:: -- ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${libdir}/libns.@A@ -+ ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${libdir}/libns-pkcs11.@A@ - - clean distclean:: -- rm -f libns.@A@ timestamp -+ rm -f libns-pkcs11.@A@ timestamp -diff --git a/lib/ns-pkcs11/tests/Makefile.in b/lib/ns-pkcs11/tests/Makefile.in -index 4c3e694..c1b6d99 100644 ---- a/lib/ns-pkcs11/tests/Makefile.in -+++ b/lib/ns-pkcs11/tests/Makefile.in -@@ -17,17 +17,17 @@ VERSION=@BIND9_VERSION@ - - WRAP_OPTIONS = -Wl,--wrap=isc__nmhandle_detach -Wl,--wrap=isc__nmhandle_attach - --CINCLUDES = -I. -Iinclude ${NS_INCLUDES} ${DNS_INCLUDES} ${ISC_INCLUDES} \ -+CINCLUDES = -I. -Iinclude ${NS_PKCS11_INCLUDES} ${DNS_PKCS11_INCLUDES} ${ISC_INCLUDES} \ - ${OPENSSL_CFLAGS} \ - @CMOCKA_CFLAGS@ --CDEFINES = -DTESTS="\"${top_builddir}/lib/ns/tests/\"" -DNAMED_PLUGINDIR=\"${plugindir}\" -+CDEFINES = -DTESTS="\"${top_builddir}/lib/ns-pkcs11/tests/\"" -DNAMED_PLUGINDIR=\"${plugindir}\" @USE_PKCS11@ - - ISCLIBS = ../../isc/libisc.@A@ @NO_LIBTOOL_ISCLIBS@ - ISCDEPLIBS = ../../isc/libisc.@A@ --DNSLIBS = ../../dns/libdns.@A@ @NO_LIBTOOL_DNSLIBS@ --DNSDEPLIBS = ../../dns/libdns.@A@ --NSLIBS = ../libns.@A@ --NSDEPLIBS = ../libns.@A@ -+DNSLIBS = ../../dns-pkcs11/libdns-pkcs11.@A@ @NO_LIBTOOL_DNSLIBS@ -+DNSDEPLIBS = ../../dns-pkcs11/libdns-pkcs11.@A@ -+NSLIBS = ../libns-pkcs11.@A@ -+NSDEPLIBS = ../libns-pkcs11.@A@ - - LIBS = @LIBS@ @CMOCKA_LIBS@ - -diff --git a/make/includes.in b/make/includes.in -index b8317d3..b73b0c4 100644 ---- a/make/includes.in -+++ b/make/includes.in -@@ -39,3 +39,10 @@ BIND9_INCLUDES = @BIND9_BIND9_BUILDINCLUDE@ \ - - TEST_INCLUDES = \ - -I${top_srcdir}/lib/tests/include -+ -+DNS_PKCS11_INCLUDES = @BIND9_DNS_PKCS11_BUILDINCLUDE@ \ -+ -I${top_srcdir}/lib/dns-pkcs11/include -+ -+NS_PKCS11_INCLUDES = @BIND9_NS_PKCS11_BUILDINCLUDE@ \ -+ -I${top_srcdir}/lib/ns-pkcs11/include -+ --- -2.26.3 - diff --git a/bind-9.11-feature-test-named.patch b/bind-9.11-feature-test-named.patch deleted file mode 100644 index 3072063..0000000 --- a/bind-9.11-feature-test-named.patch +++ /dev/null @@ -1,70 +0,0 @@ -From e9e7069ede766fa5c881517bdae74e2fc6682398 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= -Date: Wed, 30 Jan 2019 14:37:17 +0100 -Subject: [PATCH] Create feature-test in source directory - -Feature-test tool is used in system tests to test compiled in changes. -Because we build more variants of named with different configuration, -compile feature-test for each of them this way. - -Make gsstsig test supported ---- - bin/named/Makefile.in | 14 ++++++++++++-- - bin/tests/system/conf.sh.in | 2 +- - 2 files changed, 13 insertions(+), 3 deletions(-) - -diff --git a/bin/named/Makefile.in b/bin/named/Makefile.in -index debb906adc..dd894fe934 100644 ---- a/bin/named/Makefile.in -+++ b/bin/named/Makefile.in -@@ -56,7 +56,7 @@ CINCLUDES = -I${srcdir}/include -I${srcdir}/unix/include -I. \ - ${LIBXML2_CFLAGS} \ - ${MAXMINDDB_CFLAGS} - --CDEFINES = @CONTRIB_DLZ@ -+CDEFINES = @USE_GSSAPI@ @CONTRIB_DLZ@ - - CWARNINGS = - -@@ -93,7 +93,7 @@ NOSYMLIBS = ${NSLIBS} ${DNSLIBS} ${BIND9LIBS} \ - - SUBDIRS = unix - --TARGETS = named@EXEEXT@ -+TARGETS = named@EXEEXT@ feature-test@EXEEXT@ - - GEOIP2LINKOBJS = geoip.@O@ - -@@ -156,6 +156,16 @@ named@EXEEXT@: ${OBJS} ${DEPLIBS} - export BASEOBJS="${OBJS} ${UOBJS}"; \ - ${FINALBUILDCMD} - -+# Bit of hack, do not produce intermediate .o object for featuretest -+feature-test.@O@: ${top_srcdir}/bin/tests/system/feature-test.c -+ ${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \ -+ -c ${top_srcdir}/bin/tests/system/feature-test.c -+ -+feature-test@EXEEXT@: feature-test.@O@ -+ ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} \ -+ -o $@ feature-test.@O@ ${ISCLIBS} ${LIBS} -+ -+ - clean distclean maintainer-clean:: - rm -f ${TARGETS} ${OBJS} - -diff --git a/bin/tests/system/conf.sh.in b/bin/tests/system/conf.sh.in -index 9a61622143..f69c5be334 100644 ---- a/bin/tests/system/conf.sh.in -+++ b/bin/tests/system/conf.sh.in -@@ -38,7 +38,7 @@ DELV=$TOP/bin/delv/delv - DIG=$TOP/bin/dig/dig - DNSTAPREAD=$TOP/bin/tools/dnstap-read - DSFROMKEY=$TOP/bin/dnssec/dnssec-dsfromkey --FEATURETEST=$TOP/bin/tests/system/feature-test -+FEATURETEST=$TOP/bin/named/feature-test - FSTRM_CAPTURE=@FSTRM_CAPTURE@ - HOST=$TOP/bin/dig/host - IMPORTKEY=$TOP/bin/dnssec/dnssec-importkey --- -2.45.2 - diff --git a/bind-9.11-fips-tests.patch b/bind-9.11-fips-tests.patch deleted file mode 100644 index 51927a4..0000000 --- a/bind-9.11-fips-tests.patch +++ /dev/null @@ -1,959 +0,0 @@ -From 3f04cf343dbeb8819197702ce1be737e26e0638a Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= -Date: Thu, 2 Aug 2018 23:46:45 +0200 -Subject: [PATCH] FIPS tests changes -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Squashed commit of the following: - -commit 09e5eb48698d4fef2fc1031870de86c553b6bfaa -Author: Petr Menšík -Date: Wed Mar 7 20:35:13 2018 +0100 - - Fix nsupdate test. Do not use md5 by default for rndc, skip gracefully md5 if not available. - -commit ab303db70082db76ecf36493d0b82ef3e8750cad -Author: Petr Menšík -Date: Wed Mar 7 18:11:10 2018 +0100 - - Changed root key to be RSASHA256 - - Change bad trusted key to be the same algorithm. - -commit 88ab07c0e14cc71247e1f9d11a1ea832b64c1ee8 -Author: Petr Menšík -Date: Wed Mar 7 16:56:17 2018 +0100 - - Change used key to not use hmac-md5 - - Fix upforwd test, do not use hmac-md5 - -commit aec891571626f053acfb4d0a247240cbc21a84e9 -Author: Petr Menšík -Date: Wed Mar 7 15:54:11 2018 +0100 - - Increase bitsize of DSA key to pass FIPS 140-2 mode. - -commit bca8e164fa0d9aff2f946b8b4eb0f1f7e0bf6696 -Author: Petr Menšík -Date: Wed Mar 7 15:41:08 2018 +0100 - - Fix tsig and rndc tests for disabled md5 - - Use hmac-sha256 instead of hmac-md5. - -commit 0d314c1ab6151aa13574a21ad22f28d3b7f42a67 -Author: Petr Menšík -Date: Wed Mar 7 13:21:00 2018 +0100 - - Add md5 availability detection to featuretest - -commit f389a918803e2853e4b55fed62765dc4a492e34f -Author: Petr Menšík -Date: Wed Mar 7 10:44:23 2018 +0100 - - Change tests to not use hmac-md5 algorithms if not required - - Use hmac-sha256 instead of default hmac-md5 for allow-query ---- - bin/tests/system/acl/ns2/named1.conf.in | 4 +- - bin/tests/system/acl/ns2/named2.conf.in | 4 +- - bin/tests/system/acl/ns2/named3.conf.in | 6 +- - bin/tests/system/acl/ns2/named4.conf.in | 4 +- - bin/tests/system/acl/ns2/named5.conf.in | 4 +- - bin/tests/system/acl/tests.sh | 32 ++++----- - .../system/allow-query/ns2/named10.conf.in | 2 +- - .../system/allow-query/ns2/named11.conf.in | 4 +- - .../system/allow-query/ns2/named12.conf.in | 2 +- - .../system/allow-query/ns2/named30.conf.in | 2 +- - .../system/allow-query/ns2/named31.conf.in | 4 +- - .../system/allow-query/ns2/named32.conf.in | 2 +- - .../system/allow-query/ns2/named40.conf.in | 4 +- - bin/tests/system/allow-query/tests.sh | 18 ++--- - bin/tests/system/catz/ns1/named.conf.in | 2 +- - bin/tests/system/catz/ns2/named.conf.in | 2 +- - bin/tests/system/checkconf/bad-tsig.conf | 2 +- - bin/tests/system/checkconf/good.conf | 2 +- - bin/tests/system/feature-test.c | 14 ++++ - bin/tests/system/notify/ns5/named.conf.in | 6 +- - bin/tests/system/notify/tests.sh | 6 +- - bin/tests/system/nsupdate/ns1/named.conf.in | 2 +- - bin/tests/system/nsupdate/ns2/named.conf.in | 2 +- - bin/tests/system/nsupdate/setup.sh | 6 +- - bin/tests/system/nsupdate/tests.sh | 15 +++-- - bin/tests/system/rndc/setup.sh | 2 +- - bin/tests/system/rndc/tests.sh | 23 ++++--- - bin/tests/system/tsig/ns1/named.conf.in | 10 +-- - bin/tests/system/tsig/ns1/rndc5.conf.in | 10 +++ - bin/tests/system/tsig/setup.sh | 5 ++ - bin/tests/system/tsig/tests.sh | 65 ++++++++++++------- - bin/tests/system/upforwd/ns1/named.conf.in | 2 +- - bin/tests/system/upforwd/tests.sh | 2 +- - 33 files changed, 162 insertions(+), 108 deletions(-) - create mode 100644 bin/tests/system/tsig/ns1/rndc5.conf.in - -diff --git a/bin/tests/system/acl/ns2/named1.conf.in b/bin/tests/system/acl/ns2/named1.conf.in -index 60f22e1..249f672 100644 ---- a/bin/tests/system/acl/ns2/named1.conf.in -+++ b/bin/tests/system/acl/ns2/named1.conf.in -@@ -33,12 +33,12 @@ options { - }; - - key one { -- algorithm hmac-md5; -+ algorithm hmac-sha256; - secret "1234abcd8765"; - }; - - key two { -- algorithm hmac-md5; -+ algorithm hmac-sha256; - secret "1234abcd8765"; - }; - -diff --git a/bin/tests/system/acl/ns2/named2.conf.in b/bin/tests/system/acl/ns2/named2.conf.in -index ada97bc..f82d858 100644 ---- a/bin/tests/system/acl/ns2/named2.conf.in -+++ b/bin/tests/system/acl/ns2/named2.conf.in -@@ -33,12 +33,12 @@ options { - }; - - key one { -- algorithm hmac-md5; -+ algorithm hmac-sha256; - secret "1234abcd8765"; - }; - - key two { -- algorithm hmac-md5; -+ algorithm hmac-sha256; - secret "1234abcd8765"; - }; - -diff --git a/bin/tests/system/acl/ns2/named3.conf.in b/bin/tests/system/acl/ns2/named3.conf.in -index 97684e4..de6a2e9 100644 ---- a/bin/tests/system/acl/ns2/named3.conf.in -+++ b/bin/tests/system/acl/ns2/named3.conf.in -@@ -33,17 +33,17 @@ options { - }; - - key one { -- algorithm hmac-md5; -+ algorithm hmac-sha256; - secret "1234abcd8765"; - }; - - key two { -- algorithm hmac-md5; -+ algorithm hmac-sha256; - secret "1234abcd8765"; - }; - - key three { -- algorithm hmac-md5; -+ algorithm hmac-sha256; - secret "1234abcd8765"; - }; - -diff --git a/bin/tests/system/acl/ns2/named4.conf.in b/bin/tests/system/acl/ns2/named4.conf.in -index 462b3fa..994b35c 100644 ---- a/bin/tests/system/acl/ns2/named4.conf.in -+++ b/bin/tests/system/acl/ns2/named4.conf.in -@@ -33,12 +33,12 @@ options { - }; - - key one { -- algorithm hmac-md5; -+ algorithm hmac-sha256; - secret "1234abcd8765"; - }; - - key two { -- algorithm hmac-md5; -+ algorithm hmac-sha256; - secret "1234abcd8765"; - }; - -diff --git a/bin/tests/system/acl/ns2/named5.conf.in b/bin/tests/system/acl/ns2/named5.conf.in -index 728da58..8f00d09 100644 ---- a/bin/tests/system/acl/ns2/named5.conf.in -+++ b/bin/tests/system/acl/ns2/named5.conf.in -@@ -35,12 +35,12 @@ options { - }; - - key one { -- algorithm hmac-md5; -+ algorithm hmac-sha256; - secret "1234abcd8765"; - }; - - key two { -- algorithm hmac-md5; -+ algorithm hmac-sha256; - secret "1234abcd8765"; - }; - -diff --git a/bin/tests/system/acl/tests.sh b/bin/tests/system/acl/tests.sh -index be59d64..13d5bdc 100644 ---- a/bin/tests/system/acl/tests.sh -+++ b/bin/tests/system/acl/tests.sh -@@ -22,14 +22,14 @@ echo_i "testing basic ACL processing" - # key "one" should fail - t=`expr $t + 1` - $DIG $DIGOPTS tsigzone. \ -- @10.53.0.2 -b 10.53.0.1 axfr -y one:1234abcd8765 > dig.out.${t} -+ @10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t} - grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; } - - - # any other key should be fine - t=`expr $t + 1` - $DIG $DIGOPTS tsigzone. \ -- @10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 > dig.out.${t} -+ @10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:two:1234abcd8765 > dig.out.${t} - grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; } - - copy_setports ns2/named2.conf.in ns2/named.conf -@@ -39,18 +39,18 @@ sleep 5 - # prefix 10/8 should fail - t=`expr $t + 1` - $DIG $DIGOPTS tsigzone. \ -- @10.53.0.2 -b 10.53.0.1 axfr -y one:1234abcd8765 > dig.out.${t} -+ @10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t} - grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; } - - # any other address should work, as long as it sends key "one" - t=`expr $t + 1` - $DIG $DIGOPTS tsigzone. \ -- @10.53.0.2 -b 127.0.0.1 axfr -y two:1234abcd8765 > dig.out.${t} -+ @10.53.0.2 -b 127.0.0.1 axfr -y hmac-sha256:two:1234abcd8765 > dig.out.${t} - grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; } - - t=`expr $t + 1` - $DIG $DIGOPTS tsigzone. \ -- @10.53.0.2 -b 127.0.0.1 axfr -y one:1234abcd8765 > dig.out.${t} -+ @10.53.0.2 -b 127.0.0.1 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t} - grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; } - - echo_i "testing nested ACL processing" -@@ -62,31 +62,31 @@ sleep 5 - # should succeed - t=`expr $t + 1` - $DIG $DIGOPTS tsigzone. \ -- @10.53.0.2 -b 10.53.0.2 axfr -y two:1234abcd8765 > dig.out.${t} -+ @10.53.0.2 -b 10.53.0.2 axfr -y hmac-sha256:two:1234abcd8765 > dig.out.${t} - grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; } - - # should succeed - t=`expr $t + 1` - $DIG $DIGOPTS tsigzone. \ -- @10.53.0.2 -b 10.53.0.2 axfr -y one:1234abcd8765 > dig.out.${t} -+ @10.53.0.2 -b 10.53.0.2 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t} - grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; } - - # should succeed - t=`expr $t + 1` - $DIG $DIGOPTS tsigzone. \ -- @10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 > dig.out.${t} -+ @10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:two:1234abcd8765 > dig.out.${t} - grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; } - - # should succeed - t=`expr $t + 1` - $DIG $DIGOPTS tsigzone. \ -- @10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 > dig.out.${t} -+ @10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:two:1234abcd8765 > dig.out.${t} - grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; } - - # but only one or the other should fail - t=`expr $t + 1` - $DIG $DIGOPTS tsigzone. \ -- @10.53.0.2 -b 127.0.0.1 axfr -y one:1234abcd8765 > dig.out.${t} -+ @10.53.0.2 -b 127.0.0.1 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t} - grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; } - - t=`expr $t + 1` -@@ -97,7 +97,7 @@ grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $tt failed" ; status=1 - # and other values? right out - t=`expr $t + 1` - $DIG $DIGOPTS tsigzone. \ -- @10.53.0.2 -b 127.0.0.1 axfr -y three:1234abcd8765 > dig.out.${t} -+ @10.53.0.2 -b 127.0.0.1 axfr -y hmac-sha256:three:1234abcd8765 > dig.out.${t} - grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; } - - # now we only allow 10.53.0.1 *and* key one, or 10.53.0.2 *and* key two -@@ -108,31 +108,31 @@ sleep 5 - # should succeed - t=`expr $t + 1` - $DIG $DIGOPTS tsigzone. \ -- @10.53.0.2 -b 10.53.0.2 axfr -y two:1234abcd8765 > dig.out.${t} -+ @10.53.0.2 -b 10.53.0.2 axfr -y hmac-sha256:two:1234abcd8765 > dig.out.${t} - grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; } - - # should succeed - t=`expr $t + 1` - $DIG $DIGOPTS tsigzone. \ -- @10.53.0.2 -b 10.53.0.1 axfr -y one:1234abcd8765 > dig.out.${t} -+ @10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t} - grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; } - - # should fail - t=`expr $t + 1` - $DIG $DIGOPTS tsigzone. \ -- @10.53.0.2 -b 10.53.0.2 axfr -y one:1234abcd8765 > dig.out.${t} -+ @10.53.0.2 -b 10.53.0.2 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t} - grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; } - - # should fail - t=`expr $t + 1` - $DIG $DIGOPTS tsigzone. \ -- @10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 > dig.out.${t} -+ @10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:two:1234abcd8765 > dig.out.${t} - grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; } - - # should fail - t=`expr $t + 1` - $DIG $DIGOPTS tsigzone. \ -- @10.53.0.2 -b 10.53.0.3 axfr -y one:1234abcd8765 > dig.out.${t} -+ @10.53.0.2 -b 10.53.0.3 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t} - grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; } - - echo_i "testing allow-query-on ACL processing" -diff --git a/bin/tests/system/allow-query/ns2/named10.conf.in b/bin/tests/system/allow-query/ns2/named10.conf.in -index 7d43e36..f7b25f9 100644 ---- a/bin/tests/system/allow-query/ns2/named10.conf.in -+++ b/bin/tests/system/allow-query/ns2/named10.conf.in -@@ -10,7 +10,7 @@ - */ - - key one { -- algorithm hmac-md5; -+ algorithm hmac-sha256; - secret "1234abcd8765"; - }; - -diff --git a/bin/tests/system/allow-query/ns2/named11.conf.in b/bin/tests/system/allow-query/ns2/named11.conf.in -index 2952518..121557e 100644 ---- a/bin/tests/system/allow-query/ns2/named11.conf.in -+++ b/bin/tests/system/allow-query/ns2/named11.conf.in -@@ -10,12 +10,12 @@ - */ - - key one { -- algorithm hmac-md5; -+ algorithm hmac-sha256; - secret "1234abcd8765"; - }; - - key two { -- algorithm hmac-md5; -+ algorithm hmac-sha256; - secret "1234efgh8765"; - }; - -diff --git a/bin/tests/system/allow-query/ns2/named12.conf.in b/bin/tests/system/allow-query/ns2/named12.conf.in -index 0c01071..ceabbb5 100644 ---- a/bin/tests/system/allow-query/ns2/named12.conf.in -+++ b/bin/tests/system/allow-query/ns2/named12.conf.in -@@ -10,7 +10,7 @@ - */ - - key one { -- algorithm hmac-md5; -+ algorithm hmac-sha256; - secret "1234abcd8765"; - }; - -diff --git a/bin/tests/system/allow-query/ns2/named30.conf.in b/bin/tests/system/allow-query/ns2/named30.conf.in -index 4c17292..9cd9d1f 100644 ---- a/bin/tests/system/allow-query/ns2/named30.conf.in -+++ b/bin/tests/system/allow-query/ns2/named30.conf.in -@@ -10,7 +10,7 @@ - */ - - key one { -- algorithm hmac-md5; -+ algorithm hmac-sha256; - secret "1234abcd8765"; - }; - -diff --git a/bin/tests/system/allow-query/ns2/named31.conf.in b/bin/tests/system/allow-query/ns2/named31.conf.in -index a2690a4..f488730 100644 ---- a/bin/tests/system/allow-query/ns2/named31.conf.in -+++ b/bin/tests/system/allow-query/ns2/named31.conf.in -@@ -10,12 +10,12 @@ - */ - - key one { -- algorithm hmac-md5; -+ algorithm hmac-sha256; - secret "1234abcd8765"; - }; - - key two { -- algorithm hmac-md5; -+ algorithm hmac-sha256; - secret "1234efgh8765"; - }; - -diff --git a/bin/tests/system/allow-query/ns2/named32.conf.in b/bin/tests/system/allow-query/ns2/named32.conf.in -index a0708c8..51fa457 100644 ---- a/bin/tests/system/allow-query/ns2/named32.conf.in -+++ b/bin/tests/system/allow-query/ns2/named32.conf.in -@@ -10,7 +10,7 @@ - */ - - key one { -- algorithm hmac-md5; -+ algorithm hmac-sha256; - secret "1234abcd8765"; - }; - -diff --git a/bin/tests/system/allow-query/ns2/named40.conf.in b/bin/tests/system/allow-query/ns2/named40.conf.in -index 687768e..d24d6d2 100644 ---- a/bin/tests/system/allow-query/ns2/named40.conf.in -+++ b/bin/tests/system/allow-query/ns2/named40.conf.in -@@ -14,12 +14,12 @@ acl accept { 10.53.0.2; }; - acl badaccept { 10.53.0.1; }; - - key one { -- algorithm hmac-md5; -+ algorithm hmac-sha256; - secret "1234abcd8765"; - }; - - key two { -- algorithm hmac-md5; -+ algorithm hmac-sha256; - secret "1234efgh8765"; - }; - -diff --git a/bin/tests/system/allow-query/tests.sh b/bin/tests/system/allow-query/tests.sh -index fe40635..543c663 100644 ---- a/bin/tests/system/allow-query/tests.sh -+++ b/bin/tests/system/allow-query/tests.sh -@@ -182,7 +182,7 @@ rndc_reload ns2 10.53.0.2 - - echo_i "test $n: key allowed - query allowed" - ret=0 --$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1 -+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1 - grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 - grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi -@@ -195,7 +195,7 @@ rndc_reload ns2 10.53.0.2 - - echo_i "test $n: key not allowed - query refused" - ret=0 --$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1 -+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1 - grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 - grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi -@@ -208,7 +208,7 @@ rndc_reload ns2 10.53.0.2 - - echo_i "test $n: key disallowed - query refused" - ret=0 --$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1 -+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1 - grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 - grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi -@@ -341,7 +341,7 @@ rndc_reload ns2 10.53.0.2 - - echo_i "test $n: views key allowed - query allowed" - ret=0 --$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1 -+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1 - grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 - grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi -@@ -354,7 +354,7 @@ rndc_reload ns2 10.53.0.2 - - echo_i "test $n: views key not allowed - query refused" - ret=0 --$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1 -+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1 - grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 - grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi -@@ -367,7 +367,7 @@ rndc_reload ns2 10.53.0.2 - - echo_i "test $n: views key disallowed - query refused" - ret=0 --$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1 -+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1 - grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 - grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi -@@ -500,7 +500,7 @@ status=`expr $status + $ret` - n=`expr $n + 1` - echo_i "test $n: zone key allowed - query allowed" - ret=0 --$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.keyallow.example a > dig.out.ns2.$n || ret=1 -+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.keyallow.example a > dig.out.ns2.$n || ret=1 - grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1 - grep '^a.keyallow.example' dig.out.ns2.$n > /dev/null || ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi -@@ -510,7 +510,7 @@ status=`expr $status + $ret` - n=`expr $n + 1` - echo_i "test $n: zone key not allowed - query refused" - ret=0 --$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.keyallow.example a > dig.out.ns2.$n || ret=1 -+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:two:1234efgh8765 a.keyallow.example a > dig.out.ns2.$n || ret=1 - grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 - grep '^a.keyallow.example' dig.out.ns2.$n > /dev/null && ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi -@@ -520,7 +520,7 @@ status=`expr $status + $ret` - n=`expr $n + 1` - echo_i "test $n: zone key disallowed - query refused" - ret=0 --$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.keydisallow.example a > dig.out.ns2.$n || ret=1 -+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.keydisallow.example a > dig.out.ns2.$n || ret=1 - grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1 - grep '^a.keydisallow.example' dig.out.ns2.$n > /dev/null && ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi -diff --git a/bin/tests/system/catz/ns1/named.conf.in b/bin/tests/system/catz/ns1/named.conf.in -index 1218669..e62715e 100644 ---- a/bin/tests/system/catz/ns1/named.conf.in -+++ b/bin/tests/system/catz/ns1/named.conf.in -@@ -61,5 +61,5 @@ zone "catalog4.example" { - - key tsig_key. { - secret "LSAnCU+Z"; -- algorithm hmac-md5; -+ algorithm hmac-sha256; - }; -diff --git a/bin/tests/system/catz/ns2/named.conf.in b/bin/tests/system/catz/ns2/named.conf.in -index 30333e6..4005152 100644 ---- a/bin/tests/system/catz/ns2/named.conf.in -+++ b/bin/tests/system/catz/ns2/named.conf.in -@@ -70,5 +70,5 @@ zone "catalog4.example" { - - key tsig_key. { - secret "LSAnCU+Z"; -- algorithm hmac-md5; -+ algorithm hmac-sha256; - }; -diff --git a/bin/tests/system/checkconf/bad-tsig.conf b/bin/tests/system/checkconf/bad-tsig.conf -index 21be03e..e57c308 100644 ---- a/bin/tests/system/checkconf/bad-tsig.conf -+++ b/bin/tests/system/checkconf/bad-tsig.conf -@@ -11,7 +11,7 @@ - - /* Bad secret */ - key "badtsig" { -- algorithm hmac-md5; -+ algorithm hmac-sha256; - secret "jEdD+BPKg=="; - }; - -diff --git a/bin/tests/system/checkconf/good.conf b/bin/tests/system/checkconf/good.conf -index e09b9e8..2e824b3 100644 ---- a/bin/tests/system/checkconf/good.conf -+++ b/bin/tests/system/checkconf/good.conf -@@ -210,6 +210,6 @@ dyndb "name" "library.so" { - system; - }; - key "mykey" { -- algorithm "hmac-md5"; -+ algorithm "hmac-sha256"; - secret "qwertyuiopasdfgh"; - }; -diff --git a/bin/tests/system/feature-test.c b/bin/tests/system/feature-test.c -index 877504f..577660a 100644 ---- a/bin/tests/system/feature-test.c -+++ b/bin/tests/system/feature-test.c -@@ -14,6 +14,7 @@ - #include - #include - -+#include - #include - #include - #include -@@ -186,6 +187,19 @@ main(int argc, char **argv) { - #endif /* ifdef DLZ_FILESYSTEM */ - } - -+ if (strcmp(argv[1], "--md5") == 0) { -+ unsigned char digest[ISC_MAX_MD_SIZE]; -+ const unsigned char test[] = "test"; -+ unsigned int size = sizeof(digest); -+ -+ if (isc_md(ISC_MD_MD5, test, sizeof(test), -+ digest, &size) == ISC_R_SUCCESS) { -+ return (0); -+ } else { -+ return (1); -+ } -+ } -+ - if (strcmp(argv[1], "--with-idn") == 0) { - #ifdef HAVE_LIBIDN2 - return (0); -diff --git a/bin/tests/system/notify/ns5/named.conf.in b/bin/tests/system/notify/ns5/named.conf.in -index 1ee8df4..2b75d9a 100644 ---- a/bin/tests/system/notify/ns5/named.conf.in -+++ b/bin/tests/system/notify/ns5/named.conf.in -@@ -10,17 +10,17 @@ - */ - - key "a" { -- algorithm "hmac-md5"; -+ algorithm "hmac-sha256"; - secret "aaaaaaaaaaaaaaaaaaaa"; - }; - - key "b" { -- algorithm "hmac-md5"; -+ algorithm "hmac-sha256"; - secret "bbbbbbbbbbbbbbbbbbbb"; - }; - - key "c" { -- algorithm "hmac-md5"; -+ algorithm "hmac-sha256"; - secret "cccccccccccccccccccc"; - }; - -diff --git a/bin/tests/system/notify/tests.sh b/bin/tests/system/notify/tests.sh -index 3d7e0b7..ec4d9a7 100644 ---- a/bin/tests/system/notify/tests.sh -+++ b/bin/tests/system/notify/tests.sh -@@ -212,16 +212,16 @@ ret=0 - $NSUPDATE << EOF - server 10.53.0.5 ${PORT} - zone x21 --key a aaaaaaaaaaaaaaaaaaaa -+key hmac-sha256:a aaaaaaaaaaaaaaaaaaaa - update add added.x21 0 in txt "test string" - send - EOF - - for i in 1 2 3 4 5 6 7 8 9 - do -- $DIG $DIGOPTS added.x21. -y b:bbbbbbbbbbbbbbbbbbbb @10.53.0.5 \ -+ $DIG $DIGOPTS added.x21. -y hmac-sha256:b:bbbbbbbbbbbbbbbbbbbb @10.53.0.5 \ - txt > dig.out.b.ns5.test$n || ret=1 -- $DIG $DIGOPTS added.x21. -y c:cccccccccccccccccccc @10.53.0.5 \ -+ $DIG $DIGOPTS added.x21. -y hmac-sha256:c:cccccccccccccccccccc @10.53.0.5 \ - txt > dig.out.c.ns5.test$n || ret=1 - grep "test string" dig.out.b.ns5.test$n > /dev/null && - grep "test string" dig.out.c.ns5.test$n > /dev/null && -diff --git a/bin/tests/system/nsupdate/ns1/named.conf.in b/bin/tests/system/nsupdate/ns1/named.conf.in -index b51e700..436c97d 100644 ---- a/bin/tests/system/nsupdate/ns1/named.conf.in -+++ b/bin/tests/system/nsupdate/ns1/named.conf.in -@@ -37,7 +37,7 @@ controls { - }; - - key altkey { -- algorithm hmac-md5; -+ algorithm hmac-sha512; - secret "1234abcd8765"; - }; - -diff --git a/bin/tests/system/nsupdate/ns2/named.conf.in b/bin/tests/system/nsupdate/ns2/named.conf.in -index da6b3b4..c547e47 100644 ---- a/bin/tests/system/nsupdate/ns2/named.conf.in -+++ b/bin/tests/system/nsupdate/ns2/named.conf.in -@@ -32,7 +32,7 @@ controls { - }; - - key altkey { -- algorithm hmac-md5; -+ algorithm hmac-sha512; - secret "1234abcd8765"; - }; - -diff --git a/bin/tests/system/nsupdate/setup.sh b/bin/tests/system/nsupdate/setup.sh -index c055da3..4e1242b 100644 ---- a/bin/tests/system/nsupdate/setup.sh -+++ b/bin/tests/system/nsupdate/setup.sh -@@ -56,7 +56,11 @@ EOF - - $DDNSCONFGEN -q -z example.nil > ns1/ddns.key - --$DDNSCONFGEN -q -a hmac-md5 -k md5-key -z keytests.nil > ns1/md5.key -+if $FEATURETEST --md5; then -+ $DDNSCONFGEN -q -a hmac-md5 -k md5-key -z keytests.nil > ns1/md5.key -+else -+ echo -n > ns1/md5.key -+fi - $DDNSCONFGEN -q -a hmac-sha1 -k sha1-key -z keytests.nil > ns1/sha1.key - $DDNSCONFGEN -q -a hmac-sha224 -k sha224-key -z keytests.nil > ns1/sha224.key - $DDNSCONFGEN -q -a hmac-sha256 -k sha256-key -z keytests.nil > ns1/sha256.key -diff --git a/bin/tests/system/nsupdate/tests.sh b/bin/tests/system/nsupdate/tests.sh -index b35d797..41c128e 100755 ---- a/bin/tests/system/nsupdate/tests.sh -+++ b/bin/tests/system/nsupdate/tests.sh -@@ -797,7 +797,14 @@ fi - n=`expr $n + 1` - ret=0 - echo_i "check TSIG key algorithms (nsupdate -k) ($n)" --for alg in md5 sha1 sha224 sha256 sha384 sha512; do -+if $FEATURETEST --md5 -+then -+ ALGS="md5 sha1 sha224 sha256 sha384 sha512" -+else -+ ALGS="sha1 sha224 sha256 sha384 sha512" -+ echo_i "skipping disabled md5 algorithm" -+fi -+for alg in $ALGS; do - $NSUPDATE -k ns1/${alg}.key < /dev/null || ret=1 - server 10.53.0.1 ${PORT} - update add ${alg}.keytests.nil. 600 A 10.10.10.3 -@@ -805,7 +812,7 @@ send - END - done - sleep 2 --for alg in md5 sha1 sha224 sha256 sha384 sha512; do -+for alg in $ALGS; do - $DIG $DIGOPTS +short @10.53.0.1 ${alg}.keytests.nil | grep 10.10.10.3 > /dev/null 2>&1 || ret=1 - done - if [ $ret -ne 0 ]; then -@@ -816,7 +823,7 @@ fi - n=`expr $n + 1` - ret=0 - echo_i "check TSIG key algorithms (nsupdate -y) ($n)" --for alg in md5 sha1 sha224 sha256 sha384 sha512; do -+for alg in $ALGS; do - secret=$(sed -n 's/.*secret "\(.*\)";.*/\1/p' ns1/${alg}.key) - $NSUPDATE -y "hmac-${alg}:${alg}-key:$secret" < /dev/null || ret=1 - server 10.53.0.1 ${PORT} -@@ -825,7 +832,7 @@ send - END - done - sleep 2 --for alg in md5 sha1 sha224 sha256 sha384 sha512; do -+for alg in $ALGS; do - $DIG $DIGOPTS +short @10.53.0.1 ${alg}.keytests.nil | grep 10.10.10.50 > /dev/null 2>&1 || ret=1 - done - if [ $ret -ne 0 ]; then -diff --git a/bin/tests/system/rndc/setup.sh b/bin/tests/system/rndc/setup.sh -index b59e7a7..04d5f5a 100644 ---- a/bin/tests/system/rndc/setup.sh -+++ b/bin/tests/system/rndc/setup.sh -@@ -33,7 +33,7 @@ make_key () { - sed 's/allow { 10.53.0.4/allow { any/' >> ns4/named.conf - } - --make_key 1 ${EXTRAPORT1} hmac-md5 -+$FEATURETEST --md5 && make_key 1 ${EXTRAPORT1} hmac-md5 - make_key 2 ${EXTRAPORT2} hmac-sha1 - make_key 3 ${EXTRAPORT3} hmac-sha224 - make_key 4 ${EXTRAPORT4} hmac-sha256 -diff --git a/bin/tests/system/rndc/tests.sh b/bin/tests/system/rndc/tests.sh -index 9fd84ed..d0b188f 100644 ---- a/bin/tests/system/rndc/tests.sh -+++ b/bin/tests/system/rndc/tests.sh -@@ -348,15 +348,20 @@ if [ $ret != 0 ]; then echo_i "failed"; fi - status=`expr $status + $ret` - - n=`expr $n + 1` --echo_i "testing rndc with hmac-md5 ($n)" --ret=0 --$RNDC -s 10.53.0.4 -p ${EXTRAPORT1} -c ns4/key1.conf status > /dev/null 2>&1 || ret=1 --for i in 2 3 4 5 6 --do -- $RNDC -s 10.53.0.4 -p ${EXTRAPORT1} -c ns4/key${i}.conf status > /dev/null 2>&1 && ret=1 --done --if [ $ret != 0 ]; then echo_i "failed"; fi --status=`expr $status + $ret` -+if $FEATURETEST --md5 -+then -+ echo_i "testing rndc with hmac-md5 ($n)" -+ ret=0 -+ $RNDC -s 10.53.0.4 -p ${EXTRAPORT1} -c ns4/key1.conf status > /dev/null 2>&1 || ret=1 -+ for i in 2 3 4 5 6 -+ do -+ $RNDC -s 10.53.0.4 -p ${EXTRAPORT1} -c ns4/key${i}.conf status > /dev/null 2>&1 && ret=1 -+ done -+ if [ $ret != 0 ]; then echo_i "failed"; fi -+ status=`expr $status + $ret` -+else -+ echo_i "skipping rndc with hmac-md5 ($n)" -+fi - - n=`expr $n + 1` - echo_i "testing rndc with hmac-sha1 ($n)" -diff --git a/bin/tests/system/tsig/ns1/named.conf.in b/bin/tests/system/tsig/ns1/named.conf.in -index 3470c4f..cf539cd 100644 ---- a/bin/tests/system/tsig/ns1/named.conf.in -+++ b/bin/tests/system/tsig/ns1/named.conf.in -@@ -21,10 +21,7 @@ options { - notify no; - }; - --key "md5" { -- secret "97rnFx24Tfna4mHPfgnerA=="; -- algorithm hmac-md5; --}; -+# md5 key appended by setup.sh at the end - - key "sha1" { - secret "FrSt77yPTFx6hTs4i2tKLB9LmE0="; -@@ -51,10 +48,7 @@ key "sha512" { - algorithm hmac-sha512; - }; - --key "md5-trunc" { -- secret "97rnFx24Tfna4mHPfgnerA=="; -- algorithm hmac-md5-80; --}; -+# md5-trunc key appended by setup.sh at the end - - key "sha1-trunc" { - secret "FrSt77yPTFx6hTs4i2tKLB9LmE0="; -diff --git a/bin/tests/system/tsig/ns1/rndc5.conf.in b/bin/tests/system/tsig/ns1/rndc5.conf.in -new file mode 100644 -index 0000000..0682194 ---- /dev/null -+++ b/bin/tests/system/tsig/ns1/rndc5.conf.in -@@ -0,0 +1,10 @@ -+# Conditionally included when support for MD5 is available -+key "md5" { -+ secret "97rnFx24Tfna4mHPfgnerA=="; -+ algorithm hmac-md5; -+}; -+ -+key "md5-trunc" { -+ secret "97rnFx24Tfna4mHPfgnerA=="; -+ algorithm hmac-md5-80; -+}; -diff --git a/bin/tests/system/tsig/setup.sh b/bin/tests/system/tsig/setup.sh -index e3b4a45..ae21d04 100644 ---- a/bin/tests/system/tsig/setup.sh -+++ b/bin/tests/system/tsig/setup.sh -@@ -15,3 +15,8 @@ SYSTEMTESTTOP=.. - $SHELL clean.sh - - copy_setports ns1/named.conf.in ns1/named.conf -+ -+if $FEATURETEST --md5 -+then -+ cat ns1/rndc5.conf.in >> ns1/named.conf -+fi -diff --git a/bin/tests/system/tsig/tests.sh b/bin/tests/system/tsig/tests.sh -index 38d842a..668aa6f 100644 ---- a/bin/tests/system/tsig/tests.sh -+++ b/bin/tests/system/tsig/tests.sh -@@ -26,20 +26,25 @@ sha512="jI/Pa4qRu96t76Pns5Z/Ndxbn3QCkwcxLOgt9vgvnJw5wqTRvNyk3FtD6yIMd1dWVlqZ+Y4f - - status=0 - --echo_i "fetching using hmac-md5 (old form)" --ret=0 --$DIG $DIGOPTS example.nil. -y "md5:$md5" @10.53.0.1 soa > dig.out.md5.old || ret=1 --grep -i "md5.*TSIG.*NOERROR" dig.out.md5.old > /dev/null || ret=1 --if [ $ret -eq 1 ] ; then -- echo_i "failed"; status=1 --fi -+if $FEATURETEST --md5 -+then -+ echo_i "fetching using hmac-md5 (old form)" -+ ret=0 -+ $DIG $DIGOPTS example.nil. -y "md5:$md5" @10.53.0.1 soa > dig.out.md5.old || ret=1 -+ grep -i "md5.*TSIG.*NOERROR" dig.out.md5.old > /dev/null || ret=1 -+ if [ $ret -eq 1 ] ; then -+ echo_i "failed"; status=1 -+ fi - --echo_i "fetching using hmac-md5 (new form)" --ret=0 --$DIG $DIGOPTS example.nil. -y "hmac-md5:md5:$md5" @10.53.0.1 soa > dig.out.md5.new || ret=1 --grep -i "md5.*TSIG.*NOERROR" dig.out.md5.new > /dev/null || ret=1 --if [ $ret -eq 1 ] ; then -- echo_i "failed"; status=1 -+ echo_i "fetching using hmac-md5 (new form)" -+ ret=0 -+ $DIG $DIGOPTS example.nil. -y "hmac-md5:md5:$md5" @10.53.0.1 soa > dig.out.md5.new || ret=1 -+ grep -i "md5.*TSIG.*NOERROR" dig.out.md5.new > /dev/null || ret=1 -+ if [ $ret -eq 1 ] ; then -+ echo_i "failed"; status=1 -+ fi -+else -+ echo_i "skipping using hmac-md5" - fi - - echo_i "fetching using hmac-sha1" -@@ -87,12 +92,17 @@ fi - # Truncated TSIG - # - # --echo_i "fetching using hmac-md5 (trunc)" --ret=0 --$DIG $DIGOPTS example.nil. -y "hmac-md5-80:md5-trunc:$md5" @10.53.0.1 soa > dig.out.md5.trunc || ret=1 --grep -i "md5-trunc.*TSIG.*NOERROR" dig.out.md5.trunc > /dev/null || ret=1 --if [ $ret -eq 1 ] ; then -- echo_i "failed"; status=1 -+if $FEATURETEST --md5 -+then -+ echo_i "fetching using hmac-md5 (trunc)" -+ ret=0 -+ $DIG $DIGOPTS example.nil. -y "hmac-md5-80:md5-trunc:$md5" @10.53.0.1 soa > dig.out.md5.trunc || ret=1 -+ grep -i "md5-trunc.*TSIG.*NOERROR" dig.out.md5.trunc > /dev/null || ret=1 -+ if [ $ret -eq 1 ] ; then -+ echo_i "failed"; status=1 -+ fi -+else -+ echo_i "skipping using hmac-md5 (trunc)" - fi - - echo_i "fetching using hmac-sha1 (trunc)" -@@ -141,12 +151,17 @@ fi - # Check for bad truncation. - # - # --echo_i "fetching using hmac-md5-80 (BADTRUNC)" --ret=0 --$DIG $DIGOPTS example.nil. -y "hmac-md5-80:md5:$md5" @10.53.0.1 soa > dig.out.md5-80 || ret=1 --grep -i "md5.*TSIG.*BADTRUNC" dig.out.md5-80 > /dev/null || ret=1 --if [ $ret -eq 1 ] ; then -- echo_i "failed"; status=1 -+if $FEATURETEST --md5 -+then -+ echo_i "fetching using hmac-md5-80 (BADTRUNC)" -+ ret=0 -+ $DIG $DIGOPTS example.nil. -y "hmac-md5-80:md5:$md5" @10.53.0.1 soa > dig.out.md5-80 || ret=1 -+ grep -i "md5.*TSIG.*BADTRUNC" dig.out.md5-80 > /dev/null || ret=1 -+ if [ $ret -eq 1 ] ; then -+ echo_i "failed"; status=1 -+ fi -+else -+ echo_i "skipping using hmac-md5-80 (BADTRUNC)" - fi - - echo_i "fetching using hmac-sha1-80 (BADTRUNC)" -diff --git a/bin/tests/system/upforwd/ns1/named.conf.in b/bin/tests/system/upforwd/ns1/named.conf.in -index 3873c7c..b359a5a 100644 ---- a/bin/tests/system/upforwd/ns1/named.conf.in -+++ b/bin/tests/system/upforwd/ns1/named.conf.in -@@ -10,7 +10,7 @@ - */ - - key "update.example." { -- algorithm "hmac-md5"; -+ algorithm "hmac-sha256"; - secret "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K"; - }; - -diff --git a/bin/tests/system/upforwd/tests.sh b/bin/tests/system/upforwd/tests.sh -index a50c896..8062d68 100644 ---- a/bin/tests/system/upforwd/tests.sh -+++ b/bin/tests/system/upforwd/tests.sh -@@ -79,7 +79,7 @@ if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi - - echo_i "updating zone (signed) ($n)" - ret=0 --$NSUPDATE -y update.example:c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K -- - < -Date: Tue, 2 Jan 2018 18:13:07 +0100 -Subject: [PATCH] Fix pkcs11 variants atf tests - -Add dns-pkcs11 tests Makefile to configure - -Add pkcs11 Kyuafile, fix dh_test to pass in pkcs11 mode ---- - configure.ac | 1 + - lib/Kyuafile | 2 ++ - lib/dns-pkcs11/tests/dh_test.c | 3 ++- - 3 files changed, 5 insertions(+), 1 deletion(-) - -diff --git a/configure.ac b/configure.ac -index d80ae31..0fb9328 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -3090,6 +3090,7 @@ AC_CONFIG_FILES([ - lib/dns-pkcs11/include/Makefile - lib/dns-pkcs11/include/dns/Makefile - lib/dns-pkcs11/include/dst/Makefile -+ lib/dns-pkcs11/tests/Makefile - lib/irs/Makefile - lib/irs/include/Makefile - lib/irs/include/irs/Makefile -diff --git a/lib/Kyuafile b/lib/Kyuafile -index 39ce986..037e5ef 100644 ---- a/lib/Kyuafile -+++ b/lib/Kyuafile -@@ -2,8 +2,10 @@ syntax(2) - test_suite('bind9') - - include('dns/Kyuafile') -+include('dns-pkcs11/Kyuafile') - include('irs/Kyuafile') - include('isc/Kyuafile') - include('isccc/Kyuafile') - include('isccfg/Kyuafile') - include('ns/Kyuafile') -+include('ns-pkcs11/Kyuafile') -diff --git a/lib/dns-pkcs11/tests/dh_test.c b/lib/dns-pkcs11/tests/dh_test.c -index 934e8fd..658d1af 100644 ---- a/lib/dns-pkcs11/tests/dh_test.c -+++ b/lib/dns-pkcs11/tests/dh_test.c -@@ -87,7 +87,8 @@ dh_computesecret(void **state) { - result = dst_key_computesecret(key, key, &buf); - assert_int_equal(result, DST_R_NOTPRIVATEKEY); - result = key->func->computesecret(key, key, &buf); -- assert_int_equal(result, DST_R_COMPUTESECRETFAILURE); -+ /* PKCS11 variant gives different result, accept both */ -+ assert_true(result == DST_R_COMPUTESECRETFAILURE || result == DST_R_INVALIDPRIVATEKEY); - - dst_key_free(&key); - } --- -2.20.1 - diff --git a/bind-9.11-rh1666814.patch b/bind-9.11-rh1666814.patch deleted file mode 100644 index 7429999..0000000 --- a/bind-9.11-rh1666814.patch +++ /dev/null @@ -1,29 +0,0 @@ -From 0f03071080e7fa68433b322359d46abaca2cc5ad Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= -Date: Wed, 16 Jan 2019 16:27:33 +0100 -Subject: [PATCH] Fix possible crash when loading corrupted file - -Some values passes internal triggers by coincidence. Fix the check and -check also first_node_offset before even passing it further. ---- - lib/dns/rbt.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/lib/dns/rbt.c b/lib/dns/rbt.c -index 5aee5f6..7f2c2d2 100644 ---- a/lib/dns/rbt.c -+++ b/lib/dns/rbt.c -@@ -945,7 +945,9 @@ dns_rbt_deserialize_tree(void *base_address, size_t filesize, - rbt->root = (dns_rbtnode_t *)((char *)base_address + header_offset + - header->first_node_offset); - -- if ((header->nodecount * sizeof(dns_rbtnode_t)) > filesize) { -+ if ((header->nodecount * sizeof(dns_rbtnode_t)) > filesize -+ || header->first_node_offset > filesize) { -+ - result = ISC_R_INVALIDFILE; - goto cleanup; - } --- -2.31.1 - diff --git a/bind-9.11-tests-variants.patch b/bind-9.11-tests-variants.patch deleted file mode 100644 index 807a4a0..0000000 --- a/bind-9.11-tests-variants.patch +++ /dev/null @@ -1,65 +0,0 @@ -From 607cec78382b016aad0fe041f2e1895b6896c647 Mon Sep 17 00:00:00 2001 -From: Petr Mensik -Date: Fri, 1 Mar 2019 15:48:20 +0100 -Subject: [PATCH] Make alternative named builds testable in system tests - -Red Hat has alternative variant builds of named, which are not ever -tested by system tests. New variables make it relatively easy to test -alternative variants. - -For sdb variant use: -export NAMED_VARIANT=-sdb DNSSEC_VARIANT= - -For pkcs variant use: -export NAMED_VARIANT=-pkcs11 DNSSEC_VARIANT=-pkcs11 ---- - bin/tests/system/conf.sh.in | 18 +++++++++--------- - 1 file changed, 9 insertions(+), 9 deletions(-) - -diff --git a/bin/tests/system/conf.sh.in b/bin/tests/system/conf.sh.in -index d859909..9152f07 100644 ---- a/bin/tests/system/conf.sh.in -+++ b/bin/tests/system/conf.sh.in -@@ -37,17 +37,17 @@ DDNSCONFGEN=$TOP/bin/confgen/ddns-confgen - DELV=$TOP/bin/delv/delv - DIG=$TOP/bin/dig/dig - DNSTAPREAD=$TOP/bin/tools/dnstap-read --DSFROMKEY=$TOP/bin/dnssec/dnssec-dsfromkey --FEATURETEST=$TOP/bin/named/feature-test -+DSFROMKEY=$TOP/bin/dnssec${DNSSEC_VARIANT}/dnssec-dsfromkey${DNSSEC_VARIANT} -+FEATURETEST=$TOP/bin/named${NAMED_VARIANT}/feature-test${NAMED_VARIANT} - FSTRM_CAPTURE=@FSTRM_CAPTURE@ - HOST=$TOP/bin/dig/host --IMPORTKEY=$TOP/bin/dnssec/dnssec-importkey -+IMPORTKEY=$TOP/bin/dnssec${DNSSEC_VARIANT}/dnssec-importkey${DNSSEC_VARIANT} - JOURNALPRINT=$TOP/bin/tools/named-journalprint --KEYFRLAB=$TOP/bin/dnssec/dnssec-keyfromlabel --KEYGEN=$TOP/bin/dnssec/dnssec-keygen -+KEYFRLAB=$TOP/bin/dnssec${DNSSEC_VARIANT}/dnssec-keyfromlabel${DNSSEC_VARIANT} -+KEYGEN=$TOP/bin/dnssec${DNSSEC_VARIANT}/dnssec-keygen${DNSSEC_VARIANT} - KEYMGR=$TOP/bin/python/dnssec-keymgr - MDIG=$TOP/bin/tools/mdig --NAMED=$TOP/bin/named/named -+NAMED=$TOP/bin/named${NAMED_VARIANT}/named${NAMED_VARIANT} - NSEC3HASH=$TOP/bin/tools/nsec3hash - NSLOOKUP=$TOP/bin/dig/nslookup - NSUPDATE=$TOP/bin/nsupdate/nsupdate -@@ -56,12 +56,12 @@ PK11DEL="$TOP/bin/pkcs11/pkcs11-destroy -s ${SLOT:-0} -p ${HSMPIN:-1234} -w 0" - PK11GEN="$TOP/bin/pkcs11/pkcs11-keygen -q -s ${SLOT:-0} -p ${HSMPIN:-1234}" - PK11LIST="$TOP/bin/pkcs11/pkcs11-list -s ${SLOT:-0} -p ${HSMPIN:-1234}" - RESOLVE=$TOP/bin/tests/system/resolve --REVOKE=$TOP/bin/dnssec/dnssec-revoke -+REVOKE=$TOP/bin/dnssec${DNSSEC_VARIANT}/dnssec-revoke${DNSSEC_VARIANT} - RNDC=$TOP/bin/rndc/rndc - RNDCCONFGEN=$TOP/bin/confgen/rndc-confgen - RRCHECKER=$TOP/bin/tools/named-rrchecker --SETTIME=$TOP/bin/dnssec/dnssec-settime --SIGNER=$TOP/bin/dnssec/dnssec-signzone -+SETTIME=$TOP/bin/dnssec${DNSSEC_VARIANT}/dnssec-settime${DNSSEC_VARIANT} -+SIGNER=$TOP/bin/dnssec${DNSSEC_VARIANT}/dnssec-signzone${DNSSEC_VARIANT} - TSIGKEYGEN=$TOP/bin/confgen/tsig-keygen - VERIFY=$TOP/bin/dnssec/dnssec-verify - WIRETEST=$TOP/bin/tests/wire_test --- -2.26.3 - diff --git a/bind-9.14-config-pkcs11.patch b/bind-9.14-config-pkcs11.patch deleted file mode 100644 index 0d62df6..0000000 --- a/bind-9.14-config-pkcs11.patch +++ /dev/null @@ -1,83 +0,0 @@ -From e6ab9c67f0a14adc23c1067e03a106da1b1651b7 Mon Sep 17 00:00:00 2001 -From: Petr Mensik -Date: Fri, 18 Oct 2019 21:30:52 +0200 -Subject: [PATCH] Move USE_PKCS11 and USE_OPENSSL out of config.h - -Building two variants with the same common code requires to unset -USE_PKCS11 on part of build. That is not possible with config.h value. -Move it as normal define to CDEFINES. ---- - bin/confgen/Makefile.in | 2 +- - configure.ac | 8 ++++++-- - lib/dns/dst_internal.h | 12 +++++++++--- - 3 files changed, 16 insertions(+), 6 deletions(-) - -diff --git a/bin/confgen/Makefile.in b/bin/confgen/Makefile.in -index 1b7512d..c126bf3 100644 ---- a/bin/confgen/Makefile.in -+++ b/bin/confgen/Makefile.in -@@ -22,7 +22,7 @@ VERSION=@BIND9_VERSION@ - CINCLUDES = -I${srcdir}/include ${ISC_INCLUDES} ${ISCCC_INCLUDES} \ - ${ISCCFG_INCLUDES} ${DNS_INCLUDES} ${BIND9_INCLUDES} - --CDEFINES = -+CDEFINES = @USE_PKCS11@ - CWARNINGS = - - ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@ -diff --git a/configure.ac b/configure.ac -index f5483fe..08a7d8a 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -935,10 +935,14 @@ AC_SUBST([PKCS11_TEST]) - AC_SUBST([PKCS11_TOOLS]) - AC_SUBST([PKCS11_MANS]) - -+USE_PKCS11='-DUSE_PKCS11=0' -+USE_OPENSSL='-DUSE_OPENSSL=0' - AC_SUBST([CRYPTO]) - AS_CASE([$CRYPTO], -- [pkcs11],[AC_DEFINE([USE_PKCS11], [1], [define if PKCS11 is used for Public-Key Cryptography])], -- [AC_DEFINE([USE_OPENSSL], [1], [define if OpenSSL is used for Public-Key Cryptography])]) -+ [pkcs11],[USE_PKCS11='-DUSE_PKCS11=1'], -+ [USE_OPENSSL='-DUSE_OPENSSL=1']) -+AC_SUBST(USE_PKCS11) -+AC_SUBST(USE_OPENSSL) - - # preparation for automake - # AM_CONDITIONAL([PKCS11_TOOLS], [test "$with_native_pkcs11" = "yes"]) -diff --git a/lib/dns/dst_internal.h b/lib/dns/dst_internal.h -index 2c3b4a3..55e9dc4 100644 ---- a/lib/dns/dst_internal.h -+++ b/lib/dns/dst_internal.h -@@ -38,6 +38,13 @@ - #include - #include - -+#ifndef USE_PKCS11 -+#define USE_PKCS11 0 -+#endif -+#ifndef USE_OPENSSL -+#define USE_OPENSSL (! USE_PKCS11) -+#endif -+ - #if USE_PKCS11 - #include - #include -@@ -116,11 +123,10 @@ struct dst_key { - void *generic; - dns_gss_ctx_id_t gssctx; - DH *dh; --#if USE_OPENSSL -- EVP_PKEY *pkey; --#endif /* if USE_OPENSSL */ - #if USE_PKCS11 - pk11_object_t *pkey; -+#else -+ EVP_PKEY *pkey; - #endif /* if USE_PKCS11 */ - dst_hmac_key_t *hmac_key; - } keydata; /*%< pointer to key in crypto pkg fmt */ --- -2.26.2 - diff --git a/bind-9.16-CVE-2021-25220-test.patch b/bind-9.16-CVE-2021-25220-test.patch deleted file mode 100644 index 150aa87..0000000 --- a/bind-9.16-CVE-2021-25220-test.patch +++ /dev/null @@ -1,1144 +0,0 @@ -From bd8fdeb2d1ece6db6dfe9fdc024f3a81440c1c0c Mon Sep 17 00:00:00 2001 -From: Mark Andrews -Date: Tue, 18 Jan 2022 00:19:47 +1100 -Subject: [PATCH] Add tests for forwarder cache poisoning scenarios - -- Check that an NS in an authority section returned from a forwarder - which is above the name in a configured "forward first" or "forward - only" zone (i.e., net/NS in a response from a forwarder configured for - local.net) is not cached. -- Test that a DNAME for a parent domain will not be cached when sent - in a response from a forwarder configured to answer for a child. -- Check that glue is rejected if its name falls below that of zone - configured locally. -- Check that an extra out-of-bailiwick data in the answer section is - not cached (this was already working correctly, but was not explicitly - tested before). - -(cherry picked from commit bf3fffff67e1de78e9387a93674d471bf4291604) -(cherry picked from commit 59d1eb3ff810145c8098a0a4fbf93ef4380ad739) ---- - bin/tests/system/forward/ans11/ans.py | 136 ++++++++++++++++++ - bin/tests/system/forward/clean.sh | 2 + - bin/tests/system/forward/ns1/diditwork.net.db | 22 +++ - bin/tests/system/forward/ns1/named.conf.in | 20 +++ - bin/tests/system/forward/ns1/net.example.lll | 15 ++ - bin/tests/system/forward/ns1/spoofed.net.db | 22 +++ - bin/tests/system/forward/ns1/sub.local.net.db | 22 +++ - bin/tests/system/forward/ns10/fakenet.zone | 17 +++ - bin/tests/system/forward/ns10/fakenet2.zone | 15 ++ - .../system/forward/ns10/fakesublocalnet.zone | 15 ++ - .../system/forward/ns10/fakesublocaltld.zone | 15 ++ - bin/tests/system/forward/ns10/named.conf.in | 53 +++++++ - bin/tests/system/forward/ns10/net.example.lll | 15 ++ - bin/tests/system/forward/ns10/spoofednet.zone | 16 +++ - bin/tests/system/forward/ns2/tld.db | 6 + - bin/tests/system/forward/ns4/named.conf.in | 5 + - bin/tests/system/forward/ns4/sibling.tld.db | 22 +++ - bin/tests/system/forward/ns8/named.conf.in | 5 + - bin/tests/system/forward/ns8/sub.local.tld.db | 15 ++ - bin/tests/system/forward/ns9/local.net.db | 16 +++ - bin/tests/system/forward/ns9/local.tld.db | 15 ++ - bin/tests/system/forward/ns9/named1.conf.in | 67 +++++++++ - bin/tests/system/forward/ns9/named2.conf.in | 70 +++++++++ - bin/tests/system/forward/ns9/named3.conf.in | 50 +++++++ - bin/tests/system/forward/ns9/named4.conf.in | 47 ++++++ - bin/tests/system/forward/ns9/root.db | 13 ++ - bin/tests/system/forward/setup.sh | 2 + - bin/tests/system/forward/tests.sh | 122 ++++++++++++++++ - bin/tests/system/ifconfig.sh | 8 +- - 29 files changed, 844 insertions(+), 4 deletions(-) - create mode 100644 bin/tests/system/forward/ans11/ans.py - create mode 100644 bin/tests/system/forward/ns1/diditwork.net.db - create mode 100644 bin/tests/system/forward/ns1/net.example.lll - create mode 100644 bin/tests/system/forward/ns1/spoofed.net.db - create mode 100644 bin/tests/system/forward/ns1/sub.local.net.db - create mode 100644 bin/tests/system/forward/ns10/fakenet.zone - create mode 100644 bin/tests/system/forward/ns10/fakenet2.zone - create mode 100644 bin/tests/system/forward/ns10/fakesublocalnet.zone - create mode 100644 bin/tests/system/forward/ns10/fakesublocaltld.zone - create mode 100644 bin/tests/system/forward/ns10/named.conf.in - create mode 100644 bin/tests/system/forward/ns10/net.example.lll - create mode 100644 bin/tests/system/forward/ns10/spoofednet.zone - create mode 100644 bin/tests/system/forward/ns4/sibling.tld.db - create mode 100644 bin/tests/system/forward/ns8/sub.local.tld.db - create mode 100644 bin/tests/system/forward/ns9/local.net.db - create mode 100644 bin/tests/system/forward/ns9/local.tld.db - create mode 100644 bin/tests/system/forward/ns9/named1.conf.in - create mode 100644 bin/tests/system/forward/ns9/named2.conf.in - create mode 100644 bin/tests/system/forward/ns9/named3.conf.in - create mode 100644 bin/tests/system/forward/ns9/named4.conf.in - create mode 100644 bin/tests/system/forward/ns9/root.db - -diff --git a/bin/tests/system/forward/ans11/ans.py b/bin/tests/system/forward/ans11/ans.py -new file mode 100644 -index 0000000000..1d35b3d3f1 ---- /dev/null -+++ b/bin/tests/system/forward/ans11/ans.py -@@ -0,0 +1,136 @@ -+# Copyright (C) Internet Systems Consortium, Inc. ("ISC") -+# -+# SPDX-License-Identifier: MPL-2.0 -+# -+# This Source Code Form is subject to the terms of the Mozilla Public -+# License, v. 2.0. If a copy of the MPL was not distributed with this -+# file, you can obtain one at https://mozilla.org/MPL/2.0/. -+# -+# See the COPYRIGHT file distributed with this work for additional -+# information regarding copyright ownership. -+ -+from __future__ import print_function -+import os -+import sys -+import signal -+import socket -+import select -+from datetime import datetime, timedelta -+import time -+import functools -+ -+import dns, dns.message, dns.query, dns.flags -+from dns.rdatatype import * -+from dns.rdataclass import * -+from dns.rcode import * -+from dns.name import * -+ -+# Log query to file -+def logquery(type, qname): -+ with open("qlog", "a") as f: -+ f.write("%s %s\n", type, qname) -+ -+############################################################################ -+# Respond to a DNS query. -+############################################################################ -+def create_response(msg): -+ m = dns.message.from_wire(msg) -+ qname = m.question[0].name.to_text() -+ rrtype = m.question[0].rdtype -+ typename = dns.rdatatype.to_text(rrtype) -+ -+ with open("query.log", "a") as f: -+ f.write("%s %s\n" % (typename, qname)) -+ print("%s %s" % (typename, qname), end=" ") -+ -+ r = dns.message.make_response(m) -+ r.set_rcode(NOERROR) -+ if rrtype == A: -+ tld=qname.split('.')[-2] + '.' -+ ns="local." + tld -+ r.answer.append(dns.rrset.from_text(qname, 300, IN, A, "10.53.0.11")) -+ r.answer.append(dns.rrset.from_text(tld, 300, IN, NS, "local." + tld)) -+ r.additional.append(dns.rrset.from_text(ns, 300, IN, A, "10.53.0.11")) -+ elif rrtype == NS: -+ r.answer.append(dns.rrset.from_text(qname, 300, IN, NS, ".")) -+ elif rrtype == SOA: -+ r.answer.append(dns.rrset.from_text(qname, 300, IN, SOA, ". . 0 0 0 0 0")) -+ else: -+ r.authority.append(dns.rrset.from_text(qname, 300, IN, SOA, ". . 0 0 0 0 0")) -+ r.flags |= dns.flags.AA -+ return r -+ -+def sigterm(signum, frame): -+ print ("Shutting down now...") -+ os.remove('ans.pid') -+ running = False -+ sys.exit(0) -+ -+############################################################################ -+# Main -+# -+# Set up responder and control channel, open the pid file, and start -+# the main loop, listening for queries on the query channel or commands -+# on the control channel and acting on them. -+############################################################################ -+ip4 = "10.53.0.11" -+ip6 = "fd92:7065:b8e:ffff::11" -+ -+try: port=int(os.environ['PORT']) -+except: port=5300 -+ -+query4_socket = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) -+query4_socket.bind((ip4, port)) -+havev6 = True -+try: -+ query6_socket = socket.socket(socket.AF_INET6, socket.SOCK_DGRAM) -+ try: -+ query6_socket.bind((ip6, port)) -+ except: -+ query6_socket.close() -+ havev6 = False -+except: -+ havev6 = False -+signal.signal(signal.SIGTERM, sigterm) -+ -+f = open('ans.pid', 'w') -+pid = os.getpid() -+print (pid, file=f) -+f.close() -+ -+running = True -+ -+print ("Listening on %s port %d" % (ip4, port)) -+if havev6: -+ print ("Listening on %s port %d" % (ip6, port)) -+print ("Ctrl-c to quit") -+ -+if havev6: -+ input = [query4_socket, query6_socket] -+else: -+ input = [query4_socket] -+ -+while running: -+ try: -+ inputready, outputready, exceptready = select.select(input, [], []) -+ except select.error as e: -+ break -+ except socket.error as e: -+ break -+ except KeyboardInterrupt: -+ break -+ -+ for s in inputready: -+ if s == query4_socket or s == query6_socket: -+ print ("Query received on %s" % -+ (ip4 if s == query4_socket else ip6), end=" ") -+ # Handle incoming queries -+ msg = s.recvfrom(65535) -+ rsp = create_response(msg[0]) -+ if rsp: -+ print(dns.rcode.to_text(rsp.rcode())) -+ s.sendto(rsp.to_wire(), msg[1]) -+ else: -+ print("NO RESPONSE") -+ if not running: -+ break -diff --git a/bin/tests/system/forward/clean.sh b/bin/tests/system/forward/clean.sh -index bc04eadb2c..b65b092680 100644 ---- a/bin/tests/system/forward/clean.sh -+++ b/bin/tests/system/forward/clean.sh -@@ -10,10 +10,12 @@ - # - # Clean up after forward tests. - # -+rm -f ./ans11/query.log - rm -f ./dig.out.* - rm -f ./*/named.conf - rm -f ./*/named.memstats - rm -f ./*/named.run ./*/named.run.prev -+rm -f ./*/named_dump.db - rm -f ./ns*/named.lock - rm -f ./ns*/managed-keys.bind* - rm -f ./ns1/root.db ./ns1/root.db.signed -diff --git a/bin/tests/system/forward/ns1/diditwork.net.db b/bin/tests/system/forward/ns1/diditwork.net.db -new file mode 100644 -index 0000000000..fd9a46eb0c ---- /dev/null -+++ b/bin/tests/system/forward/ns1/diditwork.net.db -@@ -0,0 +1,22 @@ -+; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -+; -+; SPDX-License-Identifier: MPL-2.0 -+; -+; This Source Code Form is subject to the terms of the Mozilla Public -+; License, v. 2.0. If a copy of the MPL was not distributed with this -+; file, you can obtain one at https://mozilla.org/MPL/2.0/. -+; -+; See the COPYRIGHT file distributed with this work for additional -+; information regarding copyright ownership. -+ -+$TTL 300 ; 5 minutes -+@ IN SOA ns root ( -+ 2000082401 ; serial -+ 1800 ; refresh (30 minutes) -+ 1800 ; retry (30 minutes) -+ 1814400 ; expire (3 weeks) -+ 3600 ; minimum (1 hour) -+ ) -+ NS ns -+ TXT "recursed" -+ns A 10.53.0.1 -diff --git a/bin/tests/system/forward/ns1/named.conf.in b/bin/tests/system/forward/ns1/named.conf.in -index 4aef4e55e5..c5fb2eb172 100644 ---- a/bin/tests/system/forward/ns1/named.conf.in -+++ b/bin/tests/system/forward/ns1/named.conf.in -@@ -63,3 +63,23 @@ zone "sld.tld" { - zone "example6" { - type forward; - }; -+ -+zone "diditwork.net" { -+ type primary; -+ file "diditwork.net.db"; -+}; -+ -+zone "spoofed.net" { -+ type primary; -+ file "spoofed.net.db"; -+}; -+ -+zone "sub.local.net" { -+ type primary; -+ file "sub.local.net.db"; -+}; -+ -+zone "net.example.lll" { -+ type master; -+ file "net.example.lll"; -+}; -diff --git a/bin/tests/system/forward/ns1/net.example.lll b/bin/tests/system/forward/ns1/net.example.lll -new file mode 100644 -index 0000000000..ba0804fd75 ---- /dev/null -+++ b/bin/tests/system/forward/ns1/net.example.lll -@@ -0,0 +1,15 @@ -+; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -+; -+; SPDX-License-Identifier: MPL-2.0 -+; -+; This Source Code Form is subject to the terms of the Mozilla Public -+; License, v. 2.0. If a copy of the MPL was not distributed with this -+; file, you can obtain one at https://mozilla.org/MPL/2.0/. -+; -+; See the COPYRIGHT file distributed with this work for additional -+; information regarding copyright ownership. -+ -+$TTL 86400 -+net.example.lll. SOA . . 0 0 0 0 0 -+net.example.lll. NS attackSecureDomain.net. -+didItWork.net.example.lll. TXT "if you can see this record the attack worked" -diff --git a/bin/tests/system/forward/ns1/spoofed.net.db b/bin/tests/system/forward/ns1/spoofed.net.db -new file mode 100644 -index 0000000000..eedc46f5c0 ---- /dev/null -+++ b/bin/tests/system/forward/ns1/spoofed.net.db -@@ -0,0 +1,22 @@ -+; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -+; -+; SPDX-License-Identifier: MPL-2.0 -+; -+; This Source Code Form is subject to the terms of the Mozilla Public -+; License, v. 2.0. If a copy of the MPL was not distributed with this -+; file, you can obtain one at https://mozilla.org/MPL/2.0/. -+; -+; See the COPYRIGHT file distributed with this work for additional -+; information regarding copyright ownership. -+ -+$TTL 300 ; 5 minutes -+@ IN SOA ns root ( -+ 2000082401 ; serial -+ 1800 ; refresh (30 minutes) -+ 1800 ; retry (30 minutes) -+ 1814400 ; expire (3 weeks) -+ 3600 ; minimum (1 hour) -+ ) -+ NS ns -+ns A 10.53.0.1 -+sub TXT "recursed" -diff --git a/bin/tests/system/forward/ns1/sub.local.net.db b/bin/tests/system/forward/ns1/sub.local.net.db -new file mode 100644 -index 0000000000..fd9a46eb0c ---- /dev/null -+++ b/bin/tests/system/forward/ns1/sub.local.net.db -@@ -0,0 +1,22 @@ -+; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -+; -+; SPDX-License-Identifier: MPL-2.0 -+; -+; This Source Code Form is subject to the terms of the Mozilla Public -+; License, v. 2.0. If a copy of the MPL was not distributed with this -+; file, you can obtain one at https://mozilla.org/MPL/2.0/. -+; -+; See the COPYRIGHT file distributed with this work for additional -+; information regarding copyright ownership. -+ -+$TTL 300 ; 5 minutes -+@ IN SOA ns root ( -+ 2000082401 ; serial -+ 1800 ; refresh (30 minutes) -+ 1800 ; retry (30 minutes) -+ 1814400 ; expire (3 weeks) -+ 3600 ; minimum (1 hour) -+ ) -+ NS ns -+ TXT "recursed" -+ns A 10.53.0.1 -diff --git a/bin/tests/system/forward/ns10/fakenet.zone b/bin/tests/system/forward/ns10/fakenet.zone -new file mode 100644 -index 0000000000..b655a32459 ---- /dev/null -+++ b/bin/tests/system/forward/ns10/fakenet.zone -@@ -0,0 +1,17 @@ -+; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -+; -+; SPDX-License-Identifier: MPL-2.0 -+; -+; This Source Code Form is subject to the terms of the Mozilla Public -+; License, v. 2.0. If a copy of the MPL was not distributed with this -+; file, you can obtain one at https://mozilla.org/MPL/2.0/. -+; -+; See the COPYRIGHT file distributed with this work for additional -+; information regarding copyright ownership. -+ -+$TTL 86400 -+net. SOA . . 0 0 0 0 0 -+net. NS attackSecureDomain.net. -+attackSecureDomain.net. A 10.53.0.10 -+didItWork.net. TXT "if you can see this record the attack worked" -+ns.spoofed.net. A 10.53.0.10 -diff --git a/bin/tests/system/forward/ns10/fakenet2.zone b/bin/tests/system/forward/ns10/fakenet2.zone -new file mode 100644 -index 0000000000..cd1e6e9944 ---- /dev/null -+++ b/bin/tests/system/forward/ns10/fakenet2.zone -@@ -0,0 +1,15 @@ -+; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -+; -+; SPDX-License-Identifier: MPL-2.0 -+; -+; This Source Code Form is subject to the terms of the Mozilla Public -+; License, v. 2.0. If a copy of the MPL was not distributed with this -+; file, you can obtain one at https://mozilla.org/MPL/2.0/. -+; -+; See the COPYRIGHT file distributed with this work for additional -+; information regarding copyright ownership. -+ -+$TTL 86400 -+net2. SOA . . 0 0 0 0 0 -+net2. NS attackSecureDomain.net. -+net2. DNAME net.example.lll. -diff --git a/bin/tests/system/forward/ns10/fakesublocalnet.zone b/bin/tests/system/forward/ns10/fakesublocalnet.zone -new file mode 100644 -index 0000000000..160b5332b2 ---- /dev/null -+++ b/bin/tests/system/forward/ns10/fakesublocalnet.zone -@@ -0,0 +1,15 @@ -+; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -+; -+; SPDX-License-Identifier: MPL-2.0 -+; -+; This Source Code Form is subject to the terms of the Mozilla Public -+; License, v. 2.0. If a copy of the MPL was not distributed with this -+; file, you can obtain one at https://mozilla.org/MPL/2.0/. -+; -+; See the COPYRIGHT file distributed with this work for additional -+; information regarding copyright ownership. -+ -+$TTL 86400 -+sub.local.net. SOA . . 0 0 0 0 0 -+sub.local.net. NS ns.spoofed.net. -+sub.local.net. TXT "if you see this attacker overrode local delegation" -diff --git a/bin/tests/system/forward/ns10/fakesublocaltld.zone b/bin/tests/system/forward/ns10/fakesublocaltld.zone -new file mode 100644 -index 0000000000..f78cbc77f6 ---- /dev/null -+++ b/bin/tests/system/forward/ns10/fakesublocaltld.zone -@@ -0,0 +1,15 @@ -+; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -+; -+; SPDX-License-Identifier: MPL-2.0 -+; -+; This Source Code Form is subject to the terms of the Mozilla Public -+; License, v. 2.0. If a copy of the MPL was not distributed with this -+; file, you can obtain one at https://mozilla.org/MPL/2.0/. -+; -+; See the COPYRIGHT file distributed with this work for additional -+; information regarding copyright ownership. -+ -+sub.local.tld. 3600 IN SOA . . 0 0 0 0 0 -+sub.local.tld. 3600 IN NS ns.sub.local.tld. -+sub.local.tld. 3600 IN TXT bad -+ns.sub.local.tld. 3600 IN A 10.53.0.8 -diff --git a/bin/tests/system/forward/ns10/named.conf.in b/bin/tests/system/forward/ns10/named.conf.in -new file mode 100644 -index 0000000000..1f318dd867 ---- /dev/null -+++ b/bin/tests/system/forward/ns10/named.conf.in -@@ -0,0 +1,53 @@ -+/* -+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC") -+ * -+ * SPDX-License-Identifier: MPL-2.0 -+ * -+ * This Source Code Form is subject to the terms of the Mozilla Public -+ * License, v. 2.0. If a copy of the MPL was not distributed with this -+ * file, you can obtain one at https://mozilla.org/MPL/2.0/. -+ * -+ * See the COPYRIGHT file distributed with this work for additional -+ * information regarding copyright ownership. -+ */ -+ -+options { -+ query-source address 10.53.0.10; -+ notify-source 10.53.0.10; -+ transfer-source 10.53.0.10; -+ port @PORT@; -+ pid-file "named.pid"; -+ listen-on { 10.53.0.10; }; -+ listen-on-v6 { none; }; -+ minimal-responses no; -+}; -+ -+zone "net." { -+ type master; -+ file "fakenet.zone"; -+}; -+ -+zone "spoofed.net." { -+ type master; -+ file "spoofednet.zone"; -+}; -+ -+zone "sub.local.net." { -+ type master; -+ file "fakesublocalnet.zone"; -+}; -+ -+zone "net2" { -+ type master; -+ file "fakenet2.zone"; -+}; -+ -+zone "net.example.lll" { -+ type master; -+ file "net.example.lll"; -+}; -+ -+zone "sub.local.tld." { -+ type master; -+ file "fakesublocaltld.zone"; -+}; -diff --git a/bin/tests/system/forward/ns10/net.example.lll b/bin/tests/system/forward/ns10/net.example.lll -new file mode 100644 -index 0000000000..ba0804fd75 ---- /dev/null -+++ b/bin/tests/system/forward/ns10/net.example.lll -@@ -0,0 +1,15 @@ -+; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -+; -+; SPDX-License-Identifier: MPL-2.0 -+; -+; This Source Code Form is subject to the terms of the Mozilla Public -+; License, v. 2.0. If a copy of the MPL was not distributed with this -+; file, you can obtain one at https://mozilla.org/MPL/2.0/. -+; -+; See the COPYRIGHT file distributed with this work for additional -+; information regarding copyright ownership. -+ -+$TTL 86400 -+net.example.lll. SOA . . 0 0 0 0 0 -+net.example.lll. NS attackSecureDomain.net. -+didItWork.net.example.lll. TXT "if you can see this record the attack worked" -diff --git a/bin/tests/system/forward/ns10/spoofednet.zone b/bin/tests/system/forward/ns10/spoofednet.zone -new file mode 100644 -index 0000000000..fb70a4372b ---- /dev/null -+++ b/bin/tests/system/forward/ns10/spoofednet.zone -@@ -0,0 +1,16 @@ -+; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -+; -+; SPDX-License-Identifier: MPL-2.0 -+; -+; This Source Code Form is subject to the terms of the Mozilla Public -+; License, v. 2.0. If a copy of the MPL was not distributed with this -+; file, you can obtain one at https://mozilla.org/MPL/2.0/. -+; -+; See the COPYRIGHT file distributed with this work for additional -+; information regarding copyright ownership. -+ -+$TTL 86400 -+spoofed.net. SOA . . 0 0 0 0 0 -+spoofed.net. NS ns.spoofed.net. -+ns.spoofed.net. A 10.53.0.10 -+spoofed.net. TXT "this record is clearly spoofed" -diff --git a/bin/tests/system/forward/ns2/tld.db b/bin/tests/system/forward/ns2/tld.db -index 61b6569b07..819210dc05 100644 ---- a/bin/tests/system/forward/ns2/tld.db -+++ b/bin/tests/system/forward/ns2/tld.db -@@ -10,3 +10,9 @@ $TTL 300 ; 5 minutes - ns A 10.53.0.2 - sld NS ns.sld - ns.sld A 10.53.0.1 -+local NS ns.local -+ns.local A 10.53.0.9 -+sibling NS ns.sibling -+ns.sibling A 10.53.0.4 -+sibling NS ns.sub.local -+ns.sub.local A 10.53.0.10 -diff --git a/bin/tests/system/forward/ns4/named.conf.in b/bin/tests/system/forward/ns4/named.conf.in -index 855b4bfb82..85349aa97e 100644 ---- a/bin/tests/system/forward/ns4/named.conf.in -+++ b/bin/tests/system/forward/ns4/named.conf.in -@@ -60,3 +60,8 @@ zone "malicious." { - type primary; - file "malicious.db"; - }; -+ -+zone "sibling.tld" { -+ type primary; -+ file "sibling.tld.db"; -+}; -diff --git a/bin/tests/system/forward/ns4/sibling.tld.db b/bin/tests/system/forward/ns4/sibling.tld.db -new file mode 100644 -index 0000000000..fe080ae974 ---- /dev/null -+++ b/bin/tests/system/forward/ns4/sibling.tld.db -@@ -0,0 +1,22 @@ -+; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -+; -+; SPDX-License-Identifier: MPL-2.0 -+; -+; This Source Code Form is subject to the terms of the Mozilla Public -+; License, v. 2.0. If a copy of the MPL was not distributed with this -+; file, you can obtain one at https://mozilla.org/MPL/2.0/. -+; -+; See the COPYRIGHT file distributed with this work for additional -+; information regarding copyright ownership. -+ -+$TTL 86400 -+@ IN SOA malicious. admin.malicious. ( -+ 1 ; Serial -+ 604800 ; Refresh -+ 86400 ; Retry -+ 2419200 ; Expire -+ 86400 ) ; Negative Cache TTL -+ -+@ IN NS ns -+ -+ns IN A 10.53.0.4 -diff --git a/bin/tests/system/forward/ns8/named.conf.in b/bin/tests/system/forward/ns8/named.conf.in -index 531ff59ece..f752eae885 100644 ---- a/bin/tests/system/forward/ns8/named.conf.in -+++ b/bin/tests/system/forward/ns8/named.conf.in -@@ -26,3 +26,8 @@ zone "." { - type hint; - file "root.db"; - }; -+ -+zone "sub.local.tld" { -+ type primary; -+ file "sub.local.tld.db"; -+}; -diff --git a/bin/tests/system/forward/ns8/sub.local.tld.db b/bin/tests/system/forward/ns8/sub.local.tld.db -new file mode 100644 -index 0000000000..f2234c754e ---- /dev/null -+++ b/bin/tests/system/forward/ns8/sub.local.tld.db -@@ -0,0 +1,15 @@ -+; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -+; -+; SPDX-License-Identifier: MPL-2.0 -+; -+; This Source Code Form is subject to the terms of the Mozilla Public -+; License, v. 2.0. If a copy of the MPL was not distributed with this -+; file, you can obtain one at https://mozilla.org/MPL/2.0/. -+; -+; See the COPYRIGHT file distributed with this work for additional -+; information regarding copyright ownership. -+ -+sub.local.tld. 3600 IN SOA . . 0 0 0 0 0 -+sub.local.tld. 3600 IN NS ns.sub.local.tld. -+sub.local.tld. 3600 IN TXT good -+ns.sub.local.tld. 3600 IN A 10.53.0.8 -diff --git a/bin/tests/system/forward/ns9/local.net.db b/bin/tests/system/forward/ns9/local.net.db -new file mode 100644 -index 0000000000..af0d2a5a67 ---- /dev/null -+++ b/bin/tests/system/forward/ns9/local.net.db -@@ -0,0 +1,16 @@ -+; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -+; -+; SPDX-License-Identifier: MPL-2.0 -+; -+; This Source Code Form is subject to the terms of the Mozilla Public -+; License, v. 2.0. If a copy of the MPL was not distributed with this -+; file, you can obtain one at https://mozilla.org/MPL/2.0/. -+; -+; See the COPYRIGHT file distributed with this work for additional -+; information regarding copyright ownership. -+ -+local.net. 3600 IN SOA . . 0 0 0 0 0 -+local.net. 3600 IN NS localhost. -+ns.local.net. 3600 IN A 10.53.0.9 -+txt.local.net. 3600 IN TXT "something in the local auth zone" -+sub.local.net. 3600 IN NS ns.spoofed.net. ; attacker will try to override this -diff --git a/bin/tests/system/forward/ns9/local.tld.db b/bin/tests/system/forward/ns9/local.tld.db -new file mode 100644 -index 0000000000..876a9139da ---- /dev/null -+++ b/bin/tests/system/forward/ns9/local.tld.db -@@ -0,0 +1,15 @@ -+; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -+; -+; SPDX-License-Identifier: MPL-2.0 -+; -+; This Source Code Form is subject to the terms of the Mozilla Public -+; License, v. 2.0. If a copy of the MPL was not distributed with this -+; file, you can obtain one at https://mozilla.org/MPL/2.0/. -+; -+; See the COPYRIGHT file distributed with this work for additional -+; information regarding copyright ownership. -+ -+local.tld. 3600 IN SOA . . 0 0 0 0 0 -+local.tld. 3600 IN NS localhost. -+sub.local.tld. 3600 IN NS ns.sub.local.tld. -+ns.sub.local.tld. 3600 IN A 10.53.0.8 -diff --git a/bin/tests/system/forward/ns9/named1.conf.in b/bin/tests/system/forward/ns9/named1.conf.in -new file mode 100644 -index 0000000000..be9a43842f ---- /dev/null -+++ b/bin/tests/system/forward/ns9/named1.conf.in -@@ -0,0 +1,67 @@ -+/* -+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC") -+ * -+ * SPDX-License-Identifier: MPL-2.0 -+ * -+ * This Source Code Form is subject to the terms of the Mozilla Public -+ * License, v. 2.0. If a copy of the MPL was not distributed with this -+ * file, you can obtain one at https://mozilla.org/MPL/2.0/. -+ * -+ * See the COPYRIGHT file distributed with this work for additional -+ * information regarding copyright ownership. -+ */ -+ -+options { -+ query-source address 10.53.0.9; -+ notify-source 10.53.0.9; -+ transfer-source 10.53.0.9; -+ port @PORT@; -+ pid-file "named.pid"; -+ listen-on { 10.53.0.9; }; -+ listen-on-v6 { none; }; -+ dnssec-validation no; -+ edns-udp-size 1232; -+}; -+ -+key rndc_key { -+ secret "1234abcd8765"; -+ algorithm hmac-sha256; -+}; -+ -+controls { -+ inet 10.53.0.9 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; -+}; -+ -+server 10.53.0.10 { -+ edns no; -+}; -+ -+server 10.53.0.11 { -+ edns no; -+}; -+ -+zone "." { -+ type hint; -+ file "root.db"; -+}; -+ -+zone "attacksecuredomain.net." { -+ type forward; -+ forwarders { 10.53.0.10; }; -+}; -+ -+zone "attacksecuredomain.net2." { -+ type forward; -+ forwarders { 10.53.0.10; }; -+}; -+ -+zone "attacksecuredomain.net3." { -+ type forward; -+ forwarders { 10.53.0.11; }; -+}; -+ -+zone "local.net." { -+ type primary; -+ file "local.net.db"; -+ forwarders {}; -+}; -diff --git a/bin/tests/system/forward/ns9/named2.conf.in b/bin/tests/system/forward/ns9/named2.conf.in -new file mode 100644 -index 0000000000..2c40b42a0c ---- /dev/null -+++ b/bin/tests/system/forward/ns9/named2.conf.in -@@ -0,0 +1,70 @@ -+/* -+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC") -+ * -+ * SPDX-License-Identifier: MPL-2.0 -+ * -+ * This Source Code Form is subject to the terms of the Mozilla Public -+ * License, v. 2.0. If a copy of the MPL was not distributed with this -+ * file, you can obtain one at https://mozilla.org/MPL/2.0/. -+ * -+ * See the COPYRIGHT file distributed with this work for additional -+ * information regarding copyright ownership. -+ */ -+ -+options { -+ query-source address 10.53.0.9; -+ notify-source 10.53.0.9; -+ transfer-source 10.53.0.9; -+ port @PORT@; -+ pid-file "named.pid"; -+ listen-on { 10.53.0.9; }; -+ listen-on-v6 { none; }; -+ dnssec-validation no; -+ edns-udp-size 1232; -+}; -+ -+key rndc_key { -+ secret "1234abcd8765"; -+ algorithm hmac-sha256; -+}; -+ -+controls { -+ inet 10.53.0.9 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; -+}; -+ -+server 10.53.0.10 { -+ edns no; -+}; -+ -+server 10.53.0.11 { -+ edns no; -+}; -+ -+zone "." { -+ type hint; -+ file "root.db"; -+}; -+ -+zone "attacksecuredomain.net." { -+ type forward; -+ forward only; -+ forwarders { 10.53.0.10; }; -+}; -+ -+zone "attacksecuredomain.net2." { -+ type forward; -+ forward only; -+ forwarders { 10.53.0.10; }; -+}; -+ -+zone "attacksecuredomain.net3." { -+ type forward; -+ forward only; -+ forwarders { 10.53.0.11; }; -+}; -+ -+zone "local.net." { -+ type primary; -+ file "local.net.db"; -+ forwarders {}; -+}; -diff --git a/bin/tests/system/forward/ns9/named3.conf.in b/bin/tests/system/forward/ns9/named3.conf.in -new file mode 100644 -index 0000000000..576f57c10b ---- /dev/null -+++ b/bin/tests/system/forward/ns9/named3.conf.in -@@ -0,0 +1,50 @@ -+/* -+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC") -+ * -+ * SPDX-License-Identifier: MPL-2.0 -+ * -+ * This Source Code Form is subject to the terms of the Mozilla Public -+ * License, v. 2.0. If a copy of the MPL was not distributed with this -+ * file, you can obtain one at https://mozilla.org/MPL/2.0/. -+ * -+ * See the COPYRIGHT file distributed with this work for additional -+ * information regarding copyright ownership. -+ */ -+ -+options { -+ query-source address 10.53.0.9; -+ notify-source 10.53.0.9; -+ transfer-source 10.53.0.9; -+ port @PORT@; -+ pid-file "named.pid"; -+ listen-on { 10.53.0.9; }; -+ listen-on-v6 { none; }; -+ dnssec-validation no; -+ edns-udp-size 1232; -+ forward only; -+ forwarders { 10.53.0.10; }; -+}; -+ -+key rndc_key { -+ secret "1234abcd8765"; -+ algorithm hmac-sha256; -+}; -+ -+controls { -+ inet 10.53.0.9 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; -+}; -+ -+server 10.53.0.10 { -+ edns no; -+}; -+ -+zone "." { -+ type hint; -+ file "root.db"; -+}; -+ -+zone "local.net." { -+ type primary; -+ file "local.net.db"; -+ forwarders {}; -+}; -diff --git a/bin/tests/system/forward/ns9/named4.conf.in b/bin/tests/system/forward/ns9/named4.conf.in -new file mode 100644 -index 0000000000..5cd7d84109 ---- /dev/null -+++ b/bin/tests/system/forward/ns9/named4.conf.in -@@ -0,0 +1,47 @@ -+/* -+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC") -+ * -+ * SPDX-License-Identifier: MPL-2.0 -+ * -+ * This Source Code Form is subject to the terms of the Mozilla Public -+ * License, v. 2.0. If a copy of the MPL was not distributed with this -+ * file, you can obtain one at https://mozilla.org/MPL/2.0/. -+ * -+ * See the COPYRIGHT file distributed with this work for additional -+ * information regarding copyright ownership. -+ */ -+ -+options { -+ query-source address 10.53.0.9; -+ notify-source 10.53.0.9; -+ transfer-source 10.53.0.9; -+ port @PORT@; -+ pid-file "named.pid"; -+ listen-on { 10.53.0.9; }; -+ listen-on-v6 { none; }; -+ dnssec-validation no; -+ edns-udp-size 1232; -+}; -+ -+key rndc_key { -+ secret "1234abcd8765"; -+ algorithm hmac-sha256; -+}; -+ -+controls { -+ inet 10.53.0.9 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; -+}; -+ -+server 10.53.0.10 { -+ edns no; -+}; -+ -+zone "." { -+ type hint; -+ file "root.db"; -+}; -+ -+zone "local.tld." { -+ type primary; -+ file "local.tld.db"; -+}; -diff --git a/bin/tests/system/forward/ns9/root.db b/bin/tests/system/forward/ns9/root.db -new file mode 100644 -index 0000000000..2cbdff5977 ---- /dev/null -+++ b/bin/tests/system/forward/ns9/root.db -@@ -0,0 +1,13 @@ -+; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -+; -+; SPDX-License-Identifier: MPL-2.0 -+; -+; This Source Code Form is subject to the terms of the Mozilla Public -+; License, v. 2.0. If a copy of the MPL was not distributed with this -+; file, you can obtain one at https://mozilla.org/MPL/2.0/. -+; -+; See the COPYRIGHT file distributed with this work for additional -+; information regarding copyright ownership. -+ -+. NS a.root-servers.nil. -+a.root-servers.nil. A 10.53.0.1 -diff --git a/bin/tests/system/forward/setup.sh b/bin/tests/system/forward/setup.sh -index 21cf67b782..a56dd3c03f 100644 ---- a/bin/tests/system/forward/setup.sh -+++ b/bin/tests/system/forward/setup.sh -@@ -19,6 +19,8 @@ copy_setports ns4/named.conf.in ns4/named.conf - copy_setports ns5/named.conf.in ns5/named.conf - copy_setports ns7/named.conf.in ns7/named.conf - copy_setports ns8/named.conf.in ns8/named.conf -+copy_setports ns9/named1.conf.in ns9/named.conf -+copy_setports ns10/named.conf.in ns10/named.conf - - ( - cd ns1 -diff --git a/bin/tests/system/forward/tests.sh b/bin/tests/system/forward/tests.sh -index 6096b06ca7..dfbaf887f7 100644 ---- a/bin/tests/system/forward/tests.sh -+++ b/bin/tests/system/forward/tests.sh -@@ -253,5 +253,127 @@ grep "status: SERVFAIL" dig.out.$n.f1 > /dev/null || ret=1 - if [ $ret != 0 ]; then echo_i "failed"; fi - status=$((status+ret)) - -+# -+# Check various spoofed response scenarios. The same tests will be -+# run twice, with "forward first" and "forward only" configurations. -+# -+run_spooftests () { -+ n=$((n+1)) -+ echo_i "checking spoofed response scenario 1 - out of bailiwick NS ($n)" -+ ret=0 -+ # prime -+ dig_with_opts @10.53.0.9 attackSecureDomain.net > dig.out.$n.prime || ret=1 -+ # check 'net' is not poisoned. -+ dig_with_opts @10.53.0.9 diditwork.net. TXT > dig.out.$n.net || ret=1 -+ grep '^diditwork\.net\..*TXT.*"recursed"' dig.out.$n.net > /dev/null || ret=1 -+ # check 'sub.local.net' is not poisoned. -+ dig_with_opts @10.53.0.9 sub.local.net TXT > dig.out.$n.sub || ret=1 -+ grep '^sub\.local\.net\..*TXT.*"recursed"' dig.out.$n.sub > /dev/null || ret=1 -+ if [ $ret != 0 ]; then echo_i "failed"; fi -+ status=$((status+ret)) -+ -+ n=$((n+1)) -+ echo_i "checking spoofed response scenario 2 - inject DNAME/net2. ($n)" -+ ret=0 -+ # prime -+ dig_with_opts @10.53.0.9 attackSecureDomain.net2 > dig.out.$n.prime || ret=1 -+ # check that net2/DNAME is not cached -+ dig_with_opts @10.53.0.9 net2. DNAME > dig.out.$n.net2 || ret=1 -+ grep "ANSWER: 0," dig.out.$n.net2 > /dev/null || ret=1 -+ grep "status: NXDOMAIN" dig.out.$n.net2 > /dev/null || ret=1 -+ if [ $ret != 0 ]; then echo_i "failed"; fi -+ status=$((status+ret)) -+ -+ n=$((n+1)) -+ echo_i "checking spoofed response scenario 3 - extra answer ($n)" -+ ret=0 -+ # prime -+ dig_with_opts @10.53.0.9 attackSecureDomain.net3 > dig.out.$n.prime || ret=1 -+ # check extra net3 records are not cached -+ rndccmd 10.53.0.9 dumpdb -cache 2>&1 | sed 's/^/ns9 /' | cat_i -+ for try in 1 2 3 4 5; do -+ lines=$(grep "net3" ns9/named_dump.db | wc -l) -+ if [ ${lines} -eq 0 ]; then -+ sleep 1 -+ continue -+ fi -+ [ ${lines} -eq 1 ] || ret=1 -+ grep -q '^attackSecureDomain.net3' ns9/named_dump.db || ret=1 -+ grep -q '^local.net3' ns9/named_dump.db && ret=1 -+ done -+ if [ $ret != 0 ]; then echo_i "failed"; fi -+ status=$((status+ret)) -+} -+ -+echo_i "checking spoofed response scenarios with forward first zones" -+run_spooftests -+ -+copy_setports ns9/named2.conf.in ns9/named.conf -+rndccmd 10.53.0.9 reconfig 2>&1 | sed 's/^/ns3 /' | cat_i -+rndccmd 10.53.0.9 flush 2>&1 | sed 's/^/ns3 /' | cat_i -+sleep 1 -+ -+echo_i "rechecking spoofed response scenarios with forward only zones" -+run_spooftests -+ -+# -+# This scenario expects the spoofed response to succeed. The tests are -+# similar to the ones above, but not identical. -+# -+echo_i "rechecking spoofed response scenarios with 'forward only' set globally" -+copy_setports ns9/named3.conf.in ns9/named.conf -+rndccmd 10.53.0.9 reconfig 2>&1 | sed 's/^/ns3 /' | cat_i -+rndccmd 10.53.0.9 flush 2>&1 | sed 's/^/ns3 /' | cat_i -+sleep 1 -+ -+n=$((n+1)) -+echo_i "checking spoofed response scenario 1 - out of bailiwick NS ($n)" -+ret=0 -+# prime -+dig_with_opts @10.53.0.9 attackSecureDomain.net > dig.out.$n.prime || ret=1 -+# check 'net' is poisoned. -+dig_with_opts @10.53.0.9 diditwork.net. TXT > dig.out.$n.net || ret=1 -+grep '^didItWork\.net\..*TXT.*"if you can see this record the attack worked"' dig.out.$n.net > /dev/null || ret=1 -+# check 'sub.local.net' is poisoned. -+dig_with_opts @10.53.0.9 sub.local.net TXT > dig.out.$n.sub || ret=1 -+grep '^sub\.local\.net\..*TXT.*"if you see this attacker overrode local delegation"' dig.out.$n.sub > /dev/null || ret=1 -+if [ $ret != 0 ]; then echo_i "failed"; fi -+status=$((status+ret)) -+ -+n=$((n+1)) -+echo_i "checking spoofed response scenario 2 - inject DNAME/net2. ($n)" -+ret=0 -+# prime -+dig_with_opts @10.53.0.9 attackSecureDomain.net2 > dig.out.$n.prime || ret=1 -+# check that net2/DNAME is cached -+dig_with_opts @10.53.0.9 net2. DNAME > dig.out.$n.net2 || ret=1 -+grep "ANSWER: 1," dig.out.$n.net2 > /dev/null || ret=1 -+grep "net2\..*IN.DNAME.net\.example\.lll\." dig.out.$n.net2 > /dev/null || ret=1 -+if [ $ret != 0 ]; then echo_i "failed"; fi -+status=$((status+ret)) -+ -+# -+# This test doesn't use any forwarder clauses but is here because it -+# is similar to forwarders, as the set of servers that can populate -+# the namespace is defined by the zone content. -+# -+echo_i "rechecking spoofed response scenarios glue below local zone" -+copy_setports ns9/named4.conf.in ns9/named.conf -+rndccmd 10.53.0.9 reconfig 2>&1 | sed 's/^/ns3 /' | cat_i -+rndccmd 10.53.0.9 flush 2>&1 | sed 's/^/ns3 /' | cat_i -+sleep 1 -+ -+n=$((n+1)) -+echo_i "checking sibling glue below zone ($n)" -+ret=0 -+# prime -+dig_with_opts @10.53.0.9 sibling.tld > dig.out.$n.prime || ret=1 -+# check for glue A record for sub.local.tld is not used -+dig_with_opts @10.53.0.9 sub.local.tld TXT > dig.out.$n.sub || ret=1 -+grep "ANSWER: 1," dig.out.$n.sub > /dev/null || ret=1 -+grep 'sub\.local\.tld\..*IN.TXT."good"$' dig.out.$n.sub > /dev/null || ret=1 -+if [ $ret != 0 ]; then echo_i "failed"; fi -+status=$((status+ret)) -+ - echo_i "exit status: $status" - [ $status -eq 0 ] || exit 1 -diff --git a/bin/tests/system/ifconfig.sh b/bin/tests/system/ifconfig.sh -index e078f3313b..2a4d955caf 100755 ---- a/bin/tests/system/ifconfig.sh -+++ b/bin/tests/system/ifconfig.sh -@@ -12,10 +12,10 @@ - # - # Set up interface aliases for bind9 system tests. - # --# IPv4: 10.53.0.{1..10} RFC 1918 -+# IPv4: 10.53.0.{1..11} RFC 1918 - # 10.53.1.{1..2} - # 10.53.2.{1..2} --# IPv6: fd92:7065:b8e:ffff::{1..10} ULA -+# IPv6: fd92:7065:b8e:ffff::{1..11} ULA - # fd92:7065:b8e:99ff::{1..2} - # fd92:7065:b8e:ff::{1..2} - # -@@ -55,7 +55,7 @@ case "$1" in - 2) ipv6="00" ;; - *) ipv6="" ;; - esac -- for ns in 1 2 3 4 5 6 7 8 9 10 -+ for ns in 1 2 3 4 5 6 7 8 9 10 11 - do - [ $i -gt 0 -a $ns -gt 2 ] && break - int=`expr $i \* 10 + $ns` -@@ -160,7 +160,7 @@ case "$1" in - 2) ipv6="00" ;; - *) ipv6="" ;; - esac -- for ns in 10 9 8 7 6 5 4 3 2 1 -+ for ns in 11 10 9 8 7 6 5 4 3 2 1 - do - [ $i -gt 0 -a $ns -gt 2 ] && continue - int=`expr $i \* 10 + $ns - 1` --- -2.34.1 - diff --git a/bind-9.16-CVE-2021-25220.patch b/bind-9.16-CVE-2021-25220.patch deleted file mode 100644 index de75ab8..0000000 --- a/bind-9.16-CVE-2021-25220.patch +++ /dev/null @@ -1,251 +0,0 @@ -From 5b2798e01346cd77741873091babf6c4a3128449 Mon Sep 17 00:00:00 2001 -From: Mark Andrews -Date: Wed, 19 Jan 2022 17:38:18 +1100 -Subject: [PATCH] Add additional name checks when using a forwarder - -When using a forwarder, check that the owner name of response -records are within the bailiwick of the forwarded name space. - -(cherry picked from commit 24155213be59faad17f0215ecf73ea49ab781e5b) - -Check that the forward declaration is unchanged and not overridden - -If we are using a fowarder, in addition to checking that names to -be cached are subdomains of the forwarded namespace, we must also -check that there are no subsidiary forwarded namespaces which would -take precedence. To be safe, we don't cache any responses if the -forwarding configuration has changed since the query was sent. - -(cherry picked from commit 3fc7accd88cd0890f8f57bb13765876774298ba3) - -Check cached names for possible "forward only" clause - -When caching additional and glue data *not* from a forwarder, we must -check that there is no "forward only" clause covering the owner name -that would take precedence. Such names would normally be allowed by -baliwick rules, but a "forward only" zone introduces a new baliwick -scope. - -(cherry picked from commit ea06552a3d1fed56f7d3a13710e084ec79797b78) - -Look for zones deeper than the current domain or forward name - -When caching glue, we need to ensure that there is no closer -source of truth for the name. If the owner name for the glue -record would be answered by a locally configured zone, do not -cache. - -(cherry picked from commit 71b24210542730355149130770deea3e58d8527a) ---- - lib/dns/resolver.c | 128 +++++++++++++++++++++++++++++++++++++++++++-- - 1 file changed, 123 insertions(+), 5 deletions(-) - -diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c -index a7bc661bb7..7603a07b7b 100644 ---- a/lib/dns/resolver.c -+++ b/lib/dns/resolver.c -@@ -63,6 +63,8 @@ - #include - #include - #include -+#include -+ - #ifdef WANT_QUERYTRACE - #define RTRACE(m) \ - isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER, \ -@@ -337,6 +339,8 @@ struct fetchctx { - dns_fetch_t *qminfetch; - dns_rdataset_t qminrrset; - dns_name_t qmindcname; -+ dns_fixedname_t fwdfname; -+ dns_name_t *fwdname; - - /*% - * The number of events we're waiting for. -@@ -3764,6 +3768,7 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) { - if (result == ISC_R_SUCCESS) { - fwd = ISC_LIST_HEAD(forwarders->fwdrs); - fctx->fwdpolicy = forwarders->fwdpolicy; -+ dns_name_copynf(domain, fctx->fwdname); - if (fctx->fwdpolicy == dns_fwdpolicy_only && - isstrictsubdomain(domain, &fctx->domain)) - { -@@ -5153,6 +5158,9 @@ fctx_create(dns_resolver_t *res, const dns_name_t *name, dns_rdatatype_t type, - fctx->restarts = 0; - fctx->querysent = 0; - fctx->referrals = 0; -+ -+ fctx->fwdname = dns_fixedname_initname(&fctx->fwdfname); -+ - TIME_NOW(&fctx->start); - fctx->timeouts = 0; - fctx->lamecount = 0; -@@ -5215,6 +5223,7 @@ fctx_create(dns_resolver_t *res, const dns_name_t *name, dns_rdatatype_t type, - fname, &forwarders); - if (result == ISC_R_SUCCESS) { - fctx->fwdpolicy = forwarders->fwdpolicy; -+ dns_name_copynf(fname, fctx->fwdname); - } - - if (fctx->fwdpolicy != dns_fwdpolicy_only) { -@@ -7118,6 +7127,107 @@ mark_related(dns_name_t *name, dns_rdataset_t *rdataset, bool external, - } - } - -+/* -+ * Returns true if 'name' is external to the namespace for which -+ * the server being queried can answer, either because it's not a -+ * subdomain or because it's below a forward declaration or a -+ * locally served zone. -+ */ -+static inline bool -+name_external(const dns_name_t *name, dns_rdatatype_t type, fetchctx_t *fctx) { -+ isc_result_t result; -+ dns_forwarders_t *forwarders = NULL; -+ dns_fixedname_t fixed, zfixed; -+ dns_name_t *fname = dns_fixedname_initname(&fixed); -+ dns_name_t *zfname = dns_fixedname_initname(&zfixed); -+ dns_name_t *apex = NULL; -+ dns_name_t suffix; -+ dns_zone_t *zone = NULL; -+ unsigned int labels; -+ dns_namereln_t rel; -+ -+ apex = ISFORWARDER(fctx->addrinfo) ? fctx->fwdname : &fctx->domain; -+ -+ /* -+ * The name is outside the queried namespace. -+ */ -+ rel = dns_name_fullcompare(name, apex, &(int){ 0 }, -+ &(unsigned int){ 0U }); -+ if (rel != dns_namereln_subdomain && rel != dns_namereln_equal) { -+ return (true); -+ } -+ -+ /* -+ * If the record lives in the parent zone, adjust the name so we -+ * look for the correct zone or forward clause. -+ */ -+ labels = dns_name_countlabels(name); -+ if (dns_rdatatype_atparent(type) && labels > 1U) { -+ dns_name_init(&suffix, NULL); -+ dns_name_getlabelsequence(name, 1, labels - 1, &suffix); -+ name = &suffix; -+ } else if (rel == dns_namereln_equal) { -+ /* If 'name' is 'apex', no further checking is needed. */ -+ return (false); -+ } -+ -+ /* -+ * If there is a locally served zone between 'apex' and 'name' -+ * then don't cache. -+ */ -+ LOCK(&fctx->res->view->lock); -+ if (fctx->res->view->zonetable != NULL) { -+ unsigned int options = DNS_ZTFIND_NOEXACT | DNS_ZTFIND_MIRROR; -+ result = dns_zt_find(fctx->res->view->zonetable, name, options, -+ zfname, &zone); -+ if (zone != NULL) { -+ dns_zone_detach(&zone); -+ } -+ if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH) { -+ if (dns_name_fullcompare(zfname, apex, &(int){ 0 }, -+ &(unsigned int){ 0U }) == -+ dns_namereln_subdomain) -+ { -+ UNLOCK(&fctx->res->view->lock); -+ return (true); -+ } -+ } -+ } -+ UNLOCK(&fctx->res->view->lock); -+ -+ /* -+ * Look for a forward declaration below 'name'. -+ */ -+ result = dns_fwdtable_find(fctx->res->view->fwdtable, name, fname, -+ &forwarders); -+ -+ if (ISFORWARDER(fctx->addrinfo)) { -+ /* -+ * See if the forwarder declaration is better. -+ */ -+ if (result == ISC_R_SUCCESS) { -+ return (!dns_name_equal(fname, fctx->fwdname)); -+ } -+ -+ /* -+ * If the lookup failed, the configuration must have -+ * changed: play it safe and don't cache. -+ */ -+ return (true); -+ } else if (result == ISC_R_SUCCESS && -+ forwarders->fwdpolicy == dns_fwdpolicy_only && -+ !ISC_LIST_EMPTY(forwarders->fwdrs)) -+ { -+ /* -+ * If 'name' is covered by a 'forward only' clause then we -+ * can't cache this repsonse. -+ */ -+ return (true); -+ } -+ -+ return (false); -+} -+ - static isc_result_t - check_section(void *arg, const dns_name_t *addname, dns_rdatatype_t type, - dns_section_t section) { -@@ -7144,7 +7254,7 @@ check_section(void *arg, const dns_name_t *addname, dns_rdatatype_t type, - result = dns_message_findname(rctx->query->rmessage, section, addname, - dns_rdatatype_any, 0, &name, NULL); - if (result == ISC_R_SUCCESS) { -- external = !dns_name_issubdomain(name, &fctx->domain); -+ external = name_external(name, type, fctx); - if (type == dns_rdatatype_a) { - for (rdataset = ISC_LIST_HEAD(name->list); - rdataset != NULL; -@@ -8768,6 +8878,13 @@ rctx_answer_scan(respctx_t *rctx) { - break; - - case dns_namereln_subdomain: -+ /* -+ * Don't accept DNAME from parent namespace. -+ */ -+ if (name_external(name, dns_rdatatype_dname, fctx)) { -+ continue; -+ } -+ - /* - * In-scope DNAME records must have at least - * as many labels as the domain being queried. -@@ -9081,13 +9198,11 @@ rctx_authority_positive(respctx_t *rctx) { - DNS_SECTION_AUTHORITY); - while (!done && result == ISC_R_SUCCESS) { - dns_name_t *name = NULL; -- bool external; - - dns_message_currentname(rctx->query->rmessage, - DNS_SECTION_AUTHORITY, &name); -- external = !dns_name_issubdomain(name, &fctx->domain); - -- if (!external) { -+ if (!name_external(name, dns_rdatatype_ns, fctx)) { - dns_rdataset_t *rdataset = NULL; - - /* -@@ -9474,7 +9589,10 @@ rctx_authority_dnssec(respctx_t *rctx) { - } - - if (!dns_name_issubdomain(name, &fctx->domain)) { -- /* Invalid name found; preserve it for logging later */ -+ /* -+ * Invalid name found; preserve it for logging -+ * later. -+ */ - rctx->found_name = name; - rctx->found_type = ISC_LIST_HEAD(name->list)->type; - continue; --- -2.34.1 - diff --git a/bind-9.16-CVE-2022-0396.patch b/bind-9.16-CVE-2022-0396.patch deleted file mode 100644 index 5a374f1..0000000 --- a/bind-9.16-CVE-2022-0396.patch +++ /dev/null @@ -1,81 +0,0 @@ -From 33064cd077cf6fa386f0a5a840c2161868da7b3a Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= -Date: Tue, 8 Feb 2022 12:42:34 +0100 -Subject: [PATCH] Run .closehandle_cb asynchrounosly in nmhandle_detach_cb() - -When sock->closehandle_cb is set, we need to run nmhandle_detach_cb() -asynchronously to ensure correct order of multiple packets processing in -the isc__nm_process_sock_buffer(). When not run asynchronously, it -would cause: - - a) out-of-order processing of the return codes from processbuffer(); - - b) stack growth because the next TCP DNS message read callback will - be called from within the current TCP DNS message read callback. - -The sock->closehandle_cb is set to isc__nm_resume_processing() for TCP -sockets which calls isc__nm_process_sock_buffer(). If the read callback -(called from isc__nm_process_sock_buffer()->processbuffer()) doesn't -attach to the nmhandle (f.e. because it wants to drop the processing or -we send the response directly via uv_try_write()), the -isc__nm_resume_processing() (via .closehandle_cb) would call -isc__nm_process_sock_buffer() recursively. - -The below shortened code path shows how the stack can grow: - - 1: ns__client_request(handle, ...); - 2: isc_nm_tcpdns_sequential(handle); - 3: ns_query_start(client, handle); - 4: query_lookup(qctx); - 5: query_send(qctcx->client); - 6: isc__nmhandle_detach(&client->reqhandle); - 7: nmhandle_detach_cb(&handle); - 8: sock->closehandle_cb(sock); // isc__nm_resume_processing - 9: isc__nm_process_sock_buffer(sock); -10: processbuffer(sock); // isc__nm_tcpdns_processbuffer -11: isc_nmhandle_attach(req->handle, &handle); -12: isc__nm_readcb(sock, req, ISC_R_SUCCESS); -13: isc__nm_async_readcb(NULL, ...); -14: uvreq->cb.recv(...); // ns__client_request - -Instead, if 'sock->closehandle_cb' is set, we need to run detach the -handle asynchroniously in 'isc__nmhandle_detach', so that on line 8 in -the code flow above does not start this recursion. This ensures the -correct order when processing multiple packets in the function -'isc__nm_process_sock_buffer()' and prevents the stack growth. - -When not run asynchronously, the out-of-order processing leaves the -first TCP socket open until all requests on the stream have been -processed. - -If the pipelining is disabled on the TCP via `keep-response-order` -configuration option, named would keep the first socket in lingering -CLOSE_WAIT state when the client sends an incomplete packet and then -closes the connection from the client side. - -(cherry picked from commit afee2b5a7bc933a2d987907fc327a9f118fdbd17) ---- - lib/isc/netmgr/netmgr.c | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - -diff --git a/lib/isc/netmgr/netmgr.c b/lib/isc/netmgr/netmgr.c -index 3283eb6e4f..0ed3182fb6 100644 ---- a/lib/isc/netmgr/netmgr.c -+++ b/lib/isc/netmgr/netmgr.c -@@ -1746,8 +1746,12 @@ isc__nmhandle_detach(isc_nmhandle_t **handlep FLARG) { - handle = *handlep; - *handlep = NULL; - -+ /* -+ * If the closehandle_cb is set, it needs to run asynchronously to -+ * ensure correct ordering of the isc__nm_process_sock_buffer(). -+ */ - sock = handle->sock; -- if (sock->tid == isc_nm_tid()) { -+ if (sock->tid == isc_nm_tid() && sock->closehandle_cb == NULL) { - nmhandle_detach_cb(&handle FLARG_PASS); - } else { - isc__netievent_detach_t *event = --- -2.34.1 - diff --git a/bind-9.16-CVE-2022-2795.patch b/bind-9.16-CVE-2022-2795.patch deleted file mode 100644 index b67c8e9..0000000 --- a/bind-9.16-CVE-2022-2795.patch +++ /dev/null @@ -1,60 +0,0 @@ -From bf2ea6d8525bfd96a84dad221ba9e004adb710a8 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= -Date: Thu, 8 Sep 2022 11:11:30 +0200 -Subject: [PATCH] Bound the amount of work performed for delegations - -Limit the amount of database lookups that can be triggered in -fctx_getaddresses() (i.e. when determining the name server addresses to -query next) by setting a hard limit on the number of NS RRs processed -for any delegation encountered. Without any limit in place, named can -be forced to perform large amounts of database lookups per each query -received, which severely impacts resolver performance. - -The limit used (20) is an arbitrary value that is considered to be big -enough for any sane DNS delegation. - -(cherry picked from commit 3a44097fd6c6c260765b628cd1d2c9cb7efb0b2a) ---- - lib/dns/resolver.c | 12 ++++++++++++ - 1 file changed, 12 insertions(+) - -diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c -index d2cf14bbc8..73a0ee9f77 100644 ---- a/lib/dns/resolver.c -+++ b/lib/dns/resolver.c -@@ -195,6 +195,12 @@ - */ - #define NS_FAIL_LIMIT 4 - #define NS_RR_LIMIT 5 -+/* -+ * IP address lookups are performed for at most NS_PROCESSING_LIMIT NS RRs in -+ * any NS RRset encountered, to avoid excessive resource use while processing -+ * large delegations. -+ */ -+#define NS_PROCESSING_LIMIT 20 - - /* Number of hash buckets for zone counters */ - #ifndef RES_DOMAIN_BUCKETS -@@ -3711,6 +3717,7 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) { - bool need_alternate = false; - bool all_spilled = true; - unsigned int no_addresses = 0; -+ unsigned int ns_processed = 0; - - FCTXTRACE5("getaddresses", "fctx->depth=", fctx->depth); - -@@ -3902,6 +3909,11 @@ normal_nses: - - dns_rdata_reset(&rdata); - dns_rdata_freestruct(&ns); -+ -+ if (++ns_processed >= NS_PROCESSING_LIMIT) { -+ result = ISC_R_NOMORE; -+ break; -+ } - } - if (result != ISC_R_NOMORE) { - return (result); --- -2.37.3 - diff --git a/bind-9.16-CVE-2022-3080.patch b/bind-9.16-CVE-2022-3080.patch deleted file mode 100644 index 998ddf4..0000000 --- a/bind-9.16-CVE-2022-3080.patch +++ /dev/null @@ -1,116 +0,0 @@ -From 3bcd32572504ac9b92e3c6ec1e2cee3df3b68309 Mon Sep 17 00:00:00 2001 -From: Petr Mensik -Date: Tue, 20 Sep 2022 11:34:42 +0200 -Subject: [PATCH 2/4] Fix CVE-2022-3080 - -5960. [security] Fix serve-stale crash that could happen when - stale-answer-client-timeout was set to 0 and there was - a stale CNAME in the cache for an incoming query. - (CVE-2022-3080) [GL #3517] ---- - lib/ns/include/ns/query.h | 1 + - lib/ns/query.c | 42 ++++++++++++++++++++++++--------------- - 2 files changed, 27 insertions(+), 16 deletions(-) - -diff --git a/lib/ns/include/ns/query.h b/lib/ns/include/ns/query.h -index 4d48cf6..34b3070 100644 ---- a/lib/ns/include/ns/query.h -+++ b/lib/ns/include/ns/query.h -@@ -145,6 +145,7 @@ struct query_ctx { - bool authoritative; /* authoritative query? */ - bool want_restart; /* CNAME chain or other - * restart needed */ -+ bool refresh_rrset; /* stale RRset refresh needed */ - bool need_wildcardproof; /* wildcard proof needed */ - bool nxrewrite; /* negative answer from RPZ */ - bool findcoveringnsec; /* lookup covering NSEC */ -diff --git a/lib/ns/query.c b/lib/ns/query.c -index 249321c..a450cb7 100644 ---- a/lib/ns/query.c -+++ b/lib/ns/query.c -@@ -5686,7 +5686,6 @@ query_lookup(query_ctx_t *qctx) { - bool dbfind_stale = false; - bool stale_timeout = false; - bool stale_found = false; -- bool refresh_rrset = false; - bool stale_refresh_window = false; - - CCTRACE(ISC_LOG_DEBUG(3), "query_lookup"); -@@ -5868,8 +5867,7 @@ query_lookup(query_ctx_t *qctx) { - "%s stale answer used, an attempt to " - "refresh the RRset will still be made", - namebuf); -- refresh_rrset = STALE(qctx->rdataset); -- qctx->client->nodetach = refresh_rrset; -+ qctx->refresh_rrset = STALE(qctx->rdataset); - } - } else { - /* -@@ -5907,17 +5905,6 @@ query_lookup(query_ctx_t *qctx) { - - result = query_gotanswer(qctx, result); - -- if (refresh_rrset) { -- /* -- * If we reached this point then it means that we have found a -- * stale RRset entry in cache and BIND is configured to allow -- * queries to be answered with stale data if no active RRset -- * is available, i.e. "stale-anwer-client-timeout 0". But, we -- * still need to refresh the RRset. -- */ -- query_refresh_rrset(qctx); -- } -- - cleanup: - return (result); - } -@@ -7737,11 +7724,14 @@ query_addanswer(query_ctx_t *qctx) { - - /* - * On normal lookups, clear any rdatasets that were added on a -- * lookup due to stale-answer-client-timeout. -+ * lookup due to stale-answer-client-timeout. Do not clear if we -+ * are going to refresh the RRset, because the stale contents are -+ * prioritized. - */ - if (QUERY_STALEOK(&qctx->client->query) && -- !QUERY_STALETIMEOUT(&qctx->client->query)) -+ !QUERY_STALETIMEOUT(&qctx->client->query) && !qctx->refresh_rrset) - { -+ CCTRACE(ISC_LOG_DEBUG(3), "query_clear_stale"); - query_clear_stale(qctx->client); - /* - * We can clear the attribute to prevent redundant clearing -@@ -11457,9 +11447,29 @@ ns_query_done(query_ctx_t *qctx) { - /* - * Client may have been detached after query_send(), so - * we test and store the flag state here, for safety. -+ * If we are refreshing the RRSet, we must not detach from the client -+ * in the query_send(), so we need to override the flag. - */ -+ if (qctx->refresh_rrset) { -+ qctx->client->nodetach = true; -+ } - nodetach = qctx->client->nodetach; - query_send(qctx->client); -+ -+ if (qctx->refresh_rrset) { -+ /* -+ * If we reached this point then it means that we have found a -+ * stale RRset entry in cache and BIND is configured to allow -+ * queries to be answered with stale data if no active RRset -+ * is available, i.e. "stale-anwer-client-timeout 0". But, we -+ * still need to refresh the RRset. To prevent adding duplicate -+ * RRsets, clear the RRsets from the message before doing the -+ * refresh. -+ */ -+ message_clearrdataset(qctx->client->message, 0); -+ query_refresh_rrset(qctx); -+ } -+ - if (!nodetach) { - qctx->detach_client = true; - } --- -2.37.3 - diff --git a/bind-9.16-CVE-2022-3094-1.patch b/bind-9.16-CVE-2022-3094-1.patch deleted file mode 100644 index 86fbf76..0000000 --- a/bind-9.16-CVE-2022-3094-1.patch +++ /dev/null @@ -1,240 +0,0 @@ -From 18036bb3f435eaa20d60093738c61e5da42a6cfe Mon Sep 17 00:00:00 2001 -From: Evan Hunt -Date: Thu, 1 Sep 2022 16:05:04 -0700 -Subject: [PATCH] add an update quota - -limit the number of simultaneous DNS UPDATE events that can be -processed by adding a quota for update and update forwarding. -this quota currently, arbitrarily, defaults to 100. - -also add a statistics counter to record when the update quota -has been exceeded. - -(cherry picked from commit 7c47254a140c3e9cf383cda73c7b6a55c4782826) ---- - bin/named/bind9.xsl | 4 +++- - bin/named/bind9.xsl.h | 6 +++++- - bin/named/statschannel.c | 5 +++-- - doc/arm/reference.rst | 5 +++++ - lib/ns/include/ns/server.h | 1 + - lib/ns/include/ns/stats.h | 4 +++- - lib/ns/server.c | 2 ++ - lib/ns/update.c | 37 ++++++++++++++++++++++++++++++++++++- - 8 files changed, 58 insertions(+), 6 deletions(-) - -diff --git a/bin/named/bind9.xsl b/bin/named/bind9.xsl -index 5078115..194625b 100644 ---- a/bin/named/bind9.xsl -+++ b/bin/named/bind9.xsl -@@ -12,7 +12,9 @@ - - - -- -+ -+ -+ - - - -diff --git a/bin/named/bind9.xsl.h b/bin/named/bind9.xsl.h -index e30f7f5..b182742 100644 ---- a/bin/named/bind9.xsl.h -+++ b/bin/named/bind9.xsl.h -@@ -20,7 +20,11 @@ static char xslmsg[] = - "\n" - " \n" -- " \n" -+ " \n" -+ " \n" -+ " \n" - " \n" - " \n" - "