webbuilder_pel7ppc64bebuilder0
6 years ago
112 changed files with 61042 additions and 0 deletions
@ -0,0 +1,79 @@
@@ -0,0 +1,79 @@
|
||||
PGSQL BIND SDB driver |
||||
|
||||
The postgresql BIND SDB driver is of experimental status and should not be |
||||
used for production systems. |
||||
|
||||
Usage: |
||||
|
||||
o Use the named_sdb process ( put ENABLE_SDB=yes in /etc/sysconfig/named ) |
||||
|
||||
o Edit your named.conf to contain a database zone, eg. : |
||||
|
||||
zone "pgdb.net." IN { |
||||
type master; |
||||
database "pgsql bind pgdb localhost pguser pgpasswd"; |
||||
# ^- DB name ^-Table ^-host ^-user ^-password |
||||
}; |
||||
|
||||
o Create the database zone table |
||||
The table must contain the columns "name", "rdtype", and "rdata", and |
||||
is expected to contain a properly constructed zone. The program "zonetodb" |
||||
creates such a table. |
||||
|
||||
zonetodb usage: |
||||
|
||||
zonetodb origin file dbname dbtable |
||||
|
||||
where |
||||
origin : zone origin, eg "pgdb.net." |
||||
file : master zone database file, eg. pgdb.net.db |
||||
dbname : name of postgresql database |
||||
dbtable: name of table in database |
||||
|
||||
Eg. to import this zone in the file 'pgdb.net.db' into the 'bind' database |
||||
'pgdb' table: |
||||
|
||||
--- |
||||
#pgdb.net.db: |
||||
$TTL 1H |
||||
@ SOA localhost. root.localhost. ( 1 |
||||
3H |
||||
1H |
||||
1W |
||||
1H ) |
||||
NS localhost. |
||||
host1 A 192.168.2.1 |
||||
host2 A 192.168.2.2 |
||||
host3 A 192.168.2.3 |
||||
host4 A 192.168.2.4 |
||||
host5 A 192.168.2.5 |
||||
host6 A 192.168.2.6 |
||||
host7 A 192.168.2.7 |
||||
--- |
||||
|
||||
Issue this command as the pgsql user authorized to update the bind database: |
||||
|
||||
# zonetodb pgdb.net. pgdb.net.db bind pgdb |
||||
|
||||
will create / update the pgdb table in the 'bind' db: |
||||
|
||||
$ psql -dbind -c 'select * from pgdb;' |
||||
name | ttl | rdtype | rdata |
||||
----------------+------+--------+----------------------------------------------------- |
||||
pgdb.net | 3600 | SOA | localhost. root.localhost. 1 10800 3600 604800 3600 |
||||
pgdb.net | 3600 | NS | localhost. |
||||
host1.pgdb.net | 3600 | A | 192.168.2.1 |
||||
host2.pgdb.net | 3600 | A | 192.168.2.2 |
||||
host3.pgdb.net | 3600 | A | 192.168.2.3 |
||||
host4.pgdb.net | 3600 | A | 192.168.2.4 |
||||
host5.pgdb.net | 3600 | A | 192.168.2.5 |
||||
host6.pgdb.net | 3600 | A | 192.168.2.6 |
||||
host7.pgdb.net | 3600 | A | 192.168.2.7 |
||||
(9 rows) |
||||
|
||||
I've tested exactly the above configuration with bind-sdb-9.3.1+ and it works OK. |
||||
|
||||
NOTE: If you use pgsqldb SDB, ensure the postgresql service is started before the named |
||||
service . |
||||
|
||||
USE AT YOUR OWN RISK! |
@ -0,0 +1,63 @@
@@ -0,0 +1,63 @@
|
||||
srcdir = @srcdir@ |
||||
VPATH = @srcdir@ |
||||
top_srcdir = @top_srcdir@ |
||||
|
||||
@BIND9_VERSION@ |
||||
|
||||
@BIND9_MAKE_INCLUDES@ |
||||
|
||||
CINCLUDES = -I${srcdir}/include -I${srcdir}/unix/include \ |
||||
${LWRES_INCLUDES} ${DNS_INCLUDES} ${BIND9_INCLUDES} \ |
||||
${ISCCFG_INCLUDES} ${ISCCC_INCLUDES} ${ISC_INCLUDES} |
||||
|
||||
CDEFINES = -DBIND9 |
||||
|
||||
DNSLIBS = ../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@ |
||||
ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@ |
||||
ISCCCLIBS = ../../lib/isccc/libisccc.@A@ |
||||
ISCLIBS = ../../lib/isc/libisc.@A@ |
||||
LWRESLIBS = ../../lib/lwres/liblwres.@A@ |
||||
BIND9LIBS = ../../lib/bind9/libbind9.@A@ |
||||
|
||||
DNSDEPLIBS = ../../lib/dns/libdns.@A@ |
||||
ISCCFGDEPLIBS = ../../lib/isccfg/libisccfg.@A@ |
||||
ISCCCDEPLIBS = ../../lib/isccc/libisccc.@A@ |
||||
ISCDEPLIBS = ../../lib/isc/libisc.@A@ |
||||
LWRESDEPLIBS = ../../lib/lwres/liblwres.@A@ |
||||
BIND9DEPLIBS = ../../lib/bind9/libbind9.@A@ |
||||
|
||||
DEPLIBS = ${LWRESDEPLIBS} ${DNSDEPLIBS} ${BIND9DEPLIBS} \ |
||||
${ISCCFGDEPLIBS} ${ISCCCDEPLIBS} ${ISCDEPLIBS} |
||||
|
||||
LIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \ |
||||
${ISCCFGLIBS} ${ISCCCLIBS} ${ISCLIBS} ${DBDRIVER_LIBS} @LIBS@ |
||||
|
||||
TARGETS = zone2ldap@EXEEXT@ zonetodb@EXEEXT@ |
||||
|
||||
OBJS = zone2ldap.@O@ zonetodb.@O@ |
||||
|
||||
SRCS = zone2ldap.c zonetodb.c |
||||
|
||||
MANPAGES = zone2ldap.1 |
||||
|
||||
EXT_CFLAGS = |
||||
|
||||
@BIND9_MAKE_RULES@ |
||||
|
||||
zone2ldap@EXEEXT@: zone2ldap.@O@ ${DEPLIBS} |
||||
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ zone2ldap.@O@ -lldap -llber ${LIBS} |
||||
|
||||
zonetodb@EXEEXT@: zonetodb.@O@ ${DEPLIBS} |
||||
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ zonetodb.@O@ -lpq ${LIBS} |
||||
|
||||
clean distclean manclean maintainer-clean:: |
||||
rm -f ${TARGETS} ${OBJS} |
||||
|
||||
installdirs: |
||||
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir} |
||||
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man1 |
||||
|
||||
install:: ${TARGETS} installdirs |
||||
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} zone2ldap@EXEEXT@ ${DESTDIR}${sbindir} |
||||
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} zonetodb@EXEEXT@ ${DESTDIR}${sbindir} |
||||
${INSTALL_DATA} ${srcdir}/zone2ldap.1 ${DESTDIR}${mandir}/man1/zone2ldap.1 |
@ -0,0 +1,60 @@
@@ -0,0 +1,60 @@
|
||||
--- bind-9.4.0/bin/named/named.8.redhat_doc 2007-01-30 01:23:44.000000000 +0100 |
||||
+++ bind-9.4.0/bin/named/named.8 2007-03-12 15:39:19.000000000 +0100 |
||||
@@ -205,6 +205,57 @@ |
||||
\fI/var/run/named/named.pid\fR |
||||
.RS 4 |
||||
The default process\-id file. |
||||
+.PP |
||||
+.SH "NOTES" |
||||
+.PP |
||||
+.TP |
||||
+\fBRed Hat SELinux BIND Security Profile:\fR |
||||
+.PP |
||||
+By default, Red Hat ships BIND with the most secure SELinux policy |
||||
+that will not prevent normal BIND operation and will prevent exploitation |
||||
+of all known BIND security vulnerabilities . See the selinux(8) man page |
||||
+for information about SElinux. |
||||
+.PP |
||||
+It is not necessary to run named in a chroot environment if the Red Hat |
||||
+SELinux policy for named is enabled. When enabled, this policy is far |
||||
+more secure than a chroot environment. Users are recommended to enable |
||||
+SELinux and remove the bind-chroot package. |
||||
+.PP |
||||
+With this extra security comes some restrictions: |
||||
+.PP |
||||
+By default, the SELinux policy does not allow named to write any master |
||||
+zone database files. Only the root user may create files in the $ROOTDIR/var/named |
||||
+zone database file directory (the options { "directory" } option), where |
||||
+$ROOTDIR is set in /etc/sysconfig/named. |
||||
+.PP |
||||
+The "named" group must be granted read privelege to |
||||
+these files in order for named to be enabled to read them. |
||||
+.PP |
||||
+Any file created in the zone database file directory is automatically assigned |
||||
+the SELinux file context named_zone_t . |
||||
+.PP |
||||
+By default, SELinux prevents any role from modifying named_zone_t files; this |
||||
+means that files in the zone database directory cannot be modified by dynamic |
||||
+DNS (DDNS) updates or zone transfers. |
||||
+.PP |
||||
+The Red Hat BIND distribution and SELinux policy creates three directories where |
||||
+named is allowed to create and modify files: /var/named/slaves, /var/named/dynamic |
||||
+/var/named/data. By placing files you want named to modify, such as |
||||
+slave or DDNS updateable zone files and database / statistics dump files in |
||||
+these directories, named will work normally and no further operator action is |
||||
+required. Files in these directories are automatically assigned the 'named_cache_t' |
||||
+file context, which SELinux allows named to write. |
||||
+.PP |
||||
+\fBRed Hat BIND SDB support:\fR |
||||
+.PP |
||||
+Red Hat ships named with compiled in Simplified Database Backend modules that ISC |
||||
+provides in the "contrib/sdb" directory. Install bind-sdb package if you want use them |
||||
+.PP |
||||
+The SDB modules for LDAP, PostGreSQL, DirDB and SQLite are compiled into named-sdb. |
||||
+.PP |
||||
+See the documentation for the various SDB modules in /usr/share/doc/bind-sdb-*/ . |
||||
+.br |
||||
+.PP |
||||
.RE |
||||
.SH "SEE ALSO" |
||||
.PP |
@ -0,0 +1,524 @@
@@ -0,0 +1,524 @@
|
||||
diff -up bind-9.5.1b1/bin/sdb_tools/Makefile.in.fix_sdb_ldap bind-9.5.1b1/bin/sdb_tools/Makefile.in |
||||
--- bind-9.5.1b1/bin/sdb_tools/Makefile.in.fix_sdb_ldap 2008-07-21 12:14:00.000000000 +0200 |
||||
+++ bind-9.5.1b1/bin/sdb_tools/Makefile.in 2008-07-21 12:17:51.000000000 +0200 |
||||
@@ -30,11 +30,11 @@ DEPLIBS = ${LWRESDEPLIBS} ${DNSDEPLIBS} |
||||
LIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \ |
||||
${ISCCFGLIBS} ${ISCCCLIBS} ${ISCLIBS} ${DBDRIVER_LIBS} @LIBS@ |
||||
|
||||
-TARGETS = zone2ldap@EXEEXT@ zonetodb@EXEEXT@ |
||||
+TARGETS = zone2ldap@EXEEXT@ ldap2zone@EXEEXT@ zonetodb@EXEEXT@ |
||||
|
||||
-OBJS = zone2ldap.@O@ zonetodb.@O@ |
||||
+OBJS = zone2ldap.@O@ ldap2zone.@O@ zonetodb.@O@ |
||||
|
||||
-SRCS = zone2ldap.c zonetodb.c |
||||
+SRCS = zone2ldap.c ldap2zone.c zonetodb.c |
||||
|
||||
MANPAGES = zone2ldap.1 |
||||
|
||||
@@ -48,6 +48,9 @@ zone2ldap@EXEEXT@: zone2ldap.@O@ ${DEPLI |
||||
zonetodb@EXEEXT@: zonetodb.@O@ ${DEPLIBS} |
||||
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ zonetodb.@O@ -lpq ${LIBS} |
||||
|
||||
+ldap2zone@EXEEXT@: ldap2zone.@O@ ${DEPLIBS} |
||||
+ ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o $@ ldap2zone.@O@ -lldap -llber ${LIBS} |
||||
+ |
||||
clean distclean manclean maintainer-clean:: |
||||
rm -f ${TARGETS} ${OBJS} |
||||
|
||||
@@ -57,5 +60,6 @@ installdirs: |
||||
|
||||
install:: ${TARGETS} installdirs |
||||
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} zone2ldap@EXEEXT@ ${DESTDIR}${sbindir} |
||||
+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} ldap2zone@EXEEXT@ ${DESTDIR}${sbindir} |
||||
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} zonetodb@EXEEXT@ ${DESTDIR}${sbindir} |
||||
${INSTALL_DATA} ${srcdir}/zone2ldap.1 ${DESTDIR}${mandir}/man1/zone2ldap.1 |
||||
diff -up bind-9.5.1b1/bin/sdb_tools/zone2ldap.c.fix_sdb_ldap bind-9.5.1b1/bin/sdb_tools/zone2ldap.c |
||||
--- bind-9.5.1b1/bin/sdb_tools/zone2ldap.c.fix_sdb_ldap 2008-07-21 12:14:00.000000000 +0200 |
||||
+++ bind-9.5.1b1/bin/sdb_tools/zone2ldap.c 2008-07-21 12:14:00.000000000 +0200 |
||||
@@ -24,6 +24,7 @@ |
||||
#include <isc/hash.h> |
||||
#include <isc/mem.h> |
||||
#include <isc/print.h> |
||||
+#include <isc/hash.h> |
||||
#include <isc/result.h> |
||||
|
||||
#include <dns/db.h> |
||||
@@ -61,6 +62,9 @@ ldap_info; |
||||
/* usage Info */ |
||||
void usage (void); |
||||
|
||||
+/* Check for existence of (and possibly add) containing dNSZone objects */ |
||||
+int lookup_dns_zones( ldap_info *ldinfo); |
||||
+ |
||||
/* Add to the ldap dit */ |
||||
void add_ldap_values (ldap_info * ldinfo); |
||||
|
||||
@@ -77,7 +81,7 @@ char **hostname_to_dn_list (char *hostna |
||||
int get_attr_list_size (char **tmp); |
||||
|
||||
/* Get a DN */ |
||||
-char *build_dn_from_dc_list (char **dc_list, unsigned int ttl, int flag); |
||||
+char *build_dn_from_dc_list (char **dc_list, unsigned int ttl, int flag, char *zone); |
||||
|
||||
/* Add to RR list */ |
||||
void add_to_rr_list (char *dn, char *name, char *type, char *data, |
||||
@@ -99,11 +103,27 @@ void |
||||
init_ldap_conn (); |
||||
void usage(); |
||||
|
||||
-char *argzone, *ldapbase, *binddn, *bindpw = NULL; |
||||
-const char *ldapsystem = "localhost"; |
||||
-static const char *objectClasses[] = |
||||
- { "top", "dNSZone", NULL }; |
||||
-static const char *topObjectClasses[] = { "top", NULL }; |
||||
+static char *argzone, *ldapbase, *binddn, *bindpw = NULL; |
||||
+ |
||||
+/* these are needed to placate gcc4's const-ness const-ernations : */ |
||||
+static char localhost[] = "localhost"; |
||||
+static char *ldapsystem=&(localhost[0]); |
||||
+/* dnszone schema class names: */ |
||||
+static char topClass [] ="top"; |
||||
+static char dNSZoneClass[] ="dNSZone"; |
||||
+static char objectClass [] ="objectClass"; |
||||
+static char dcObjectClass[]="dcObject"; |
||||
+/* dnszone schema attribute names: */ |
||||
+static char relativeDomainName[]="relativeDomainName"; |
||||
+static char dNSTTL []="dNSTTL"; |
||||
+static char zoneName []="zoneName"; |
||||
+static char dc []="dc"; |
||||
+static char sameZone []="@"; |
||||
+/* LDAPMod mod_values: */ |
||||
+static char *objectClasses []= { &(topClass[0]), &(dNSZoneClass[0]), NULL }; |
||||
+static char *topObjectClasses []= { &(topClass[0]), &(dcObjectClass[0]), &(dNSZoneClass[0]), NULL }; |
||||
+static char *dn_buffer [64]={NULL}; |
||||
+ |
||||
LDAP *conn; |
||||
unsigned int debug = 0; |
||||
|
||||
@@ -119,12 +139,12 @@ main (int argc, char **argv) |
||||
isc_result_t result; |
||||
char *basedn; |
||||
ldap_info *tmp; |
||||
- LDAPMod *base_attrs[2]; |
||||
- LDAPMod base; |
||||
+ LDAPMod *base_attrs[5]; |
||||
+ LDAPMod base, dcBase, znBase, rdnBase; |
||||
isc_buffer_t buff; |
||||
char *zonefile=0L; |
||||
char fullbasedn[1024]; |
||||
- char *ctmp; |
||||
+ char *ctmp, *zn, *dcp[2], *znp[2], *rdn[2]; |
||||
dns_fixedname_t fixedzone, fixedname; |
||||
dns_rdataset_t rdataset; |
||||
char **dc_list; |
||||
@@ -137,7 +157,7 @@ main (int argc, char **argv) |
||||
extern char *optarg; |
||||
extern int optind, opterr, optopt; |
||||
int create_base = 0; |
||||
- int topt; |
||||
+ int topt, dcn, zdn, znlen; |
||||
|
||||
if ((int) argc < 2) |
||||
{ |
||||
@@ -145,7 +165,7 @@ main (int argc, char **argv) |
||||
exit (-1); |
||||
} |
||||
|
||||
- while ((topt = getopt ((int) argc, argv, "D:w:b:z:f:h:?dcv")) != -1) |
||||
+ while ((topt = getopt ((int) argc, argv, "D:Ww:b:z:f:h:?dcv")) != -1) |
||||
{ |
||||
switch (topt) |
||||
{ |
||||
@@ -164,8 +184,11 @@ main (int argc, char **argv) |
||||
case 'w': |
||||
bindpw = strdup (optarg); |
||||
break; |
||||
+ case 'W': |
||||
+ bindpw = getpass("Enter LDAP Password: "); |
||||
+ break; |
||||
case 'b': |
||||
- ldapbase = strdup (optarg); |
||||
+ ldapbase = strdup (optarg); |
||||
break; |
||||
case 'z': |
||||
argzone = strdup (optarg); |
||||
@@ -277,27 +300,62 @@ main (int argc, char **argv) |
||||
{ |
||||
if (debug) |
||||
printf ("Creating base zone DN %s\n", argzone); |
||||
- |
||||
+ |
||||
dc_list = hostname_to_dn_list (argzone, argzone, DNS_TOP); |
||||
- basedn = build_dn_from_dc_list (dc_list, 0, NO_SPEC); |
||||
|
||||
- for (ctmp = &basedn[strlen (basedn)]; ctmp >= &basedn[0]; ctmp--) |
||||
+ basedn = build_dn_from_dc_list (dc_list, 0, NO_SPEC, argzone); |
||||
+ if (debug) |
||||
+ printf ("base DN %s\n", basedn); |
||||
+ |
||||
+ for (ctmp = &basedn[strlen (basedn)], dcn=0; ctmp >= &basedn[0]; ctmp--) |
||||
{ |
||||
- if ((*ctmp == ',') || (ctmp == &basedn[0])) |
||||
+ if ((*ctmp == ',') || (ctmp == &basedn[0])) |
||||
{ |
||||
+ |
||||
base.mod_op = LDAP_MOD_ADD; |
||||
- base.mod_type = (char*)"objectClass"; |
||||
- base.mod_values = (char**)topObjectClasses; |
||||
+ base.mod_type = objectClass; |
||||
+ base.mod_values = topObjectClasses; |
||||
base_attrs[0] = (void*)&base; |
||||
- base_attrs[1] = NULL; |
||||
- |
||||
+ |
||||
+ dcBase.mod_op = LDAP_MOD_ADD; |
||||
+ dcBase.mod_type = dc; |
||||
+ dcp[0]=dc_list[dcn]; |
||||
+ dcp[1]=0L; |
||||
+ dcBase.mod_values=dcp; |
||||
+ base_attrs[1] = (void*)&dcBase; |
||||
+ |
||||
+ znBase.mod_op = LDAP_MOD_ADD; |
||||
+ znBase.mod_type = zoneName; |
||||
+ for( zdn = dcn, znlen = 0; zdn >= 0; zdn-- ) |
||||
+ znlen += strlen(dc_list[zdn])+1; |
||||
+ znp[0] = (char*)malloc(znlen+1); |
||||
+ znp[1] = 0L; |
||||
+ for( zdn = dcn, zn=znp[0]; zdn >= 0; zdn-- ) |
||||
+ zn+=sprintf(zn,"%s%s",dc_list[zdn], |
||||
+ ((zdn > 0) && (*(dc_list[zdn-1])!='.')) ? "." : "" |
||||
+ ); |
||||
+ |
||||
+ znBase.mod_values = znp; |
||||
+ base_attrs[2] = (void*)&znBase; |
||||
+ |
||||
+ rdnBase.mod_op = LDAP_MOD_ADD; |
||||
+ rdnBase.mod_type = relativeDomainName; |
||||
+ rdn[0] = strdup(sameZone); |
||||
+ rdn[1] = 0L; |
||||
+ rdnBase.mod_values = rdn; |
||||
+ base_attrs[3] = (void*)&rdnBase; |
||||
+ |
||||
+ dcn++; |
||||
+ |
||||
+ base.mod_values = topObjectClasses; |
||||
+ base_attrs[4] = NULL; |
||||
+ |
||||
if (ldapbase) |
||||
{ |
||||
if (ctmp != &basedn[0]) |
||||
sprintf (fullbasedn, "%s,%s", ctmp + 1, ldapbase); |
||||
else |
||||
- sprintf (fullbasedn, "%s,%s", ctmp, ldapbase); |
||||
- |
||||
+ sprintf (fullbasedn, "%s,%s", ctmp, ldapbase); |
||||
} |
||||
else |
||||
{ |
||||
@@ -306,8 +364,13 @@ main (int argc, char **argv) |
||||
else |
||||
sprintf (fullbasedn, "%s", ctmp); |
||||
} |
||||
+ |
||||
+ if( debug ) |
||||
+ printf("Full base dn: %s\n", fullbasedn); |
||||
+ |
||||
result = ldap_add_s (conn, fullbasedn, base_attrs); |
||||
ldap_result_check ("intial ldap_add_s", fullbasedn, result); |
||||
+ |
||||
} |
||||
|
||||
} |
||||
@@ -383,14 +446,14 @@ generate_ldap (dns_name_t * dnsname, dns |
||||
isc_result_check (result, "dns_rdata_totext"); |
||||
data[isc_buffer_usedlength (&buff)] = 0; |
||||
|
||||
- dc_list = hostname_to_dn_list (name, argzone, DNS_OBJECT); |
||||
+ dc_list = hostname_to_dn_list ((char*)name, argzone, DNS_OBJECT); |
||||
len = (get_attr_list_size (dc_list) - 2); |
||||
- dn = build_dn_from_dc_list (dc_list, ttl, WI_SPEC); |
||||
+ dn = build_dn_from_dc_list (dc_list, ttl, WI_SPEC, argzone); |
||||
|
||||
if (debug) |
||||
printf ("Adding %s (%s %s) to run queue list.\n", dn, type, data); |
||||
|
||||
- add_to_rr_list (dn, dc_list[len], type, data, ttl, DNS_OBJECT); |
||||
+ add_to_rr_list (dn, dc_list[len], (char*)type, (char*)data, ttl, DNS_OBJECT); |
||||
} |
||||
|
||||
|
||||
@@ -430,7 +493,8 @@ add_to_rr_list (char *dn, char *name, ch |
||||
int attrlist; |
||||
char ldap_type_buffer[128]; |
||||
char charttl[64]; |
||||
- |
||||
+ char *zn; |
||||
+ int znlen; |
||||
|
||||
if ((tmp = locate_by_dn (dn)) == NULL) |
||||
{ |
||||
@@ -465,13 +529,13 @@ add_to_rr_list (char *dn, char *name, ch |
||||
} |
||||
} |
||||
tmp->attrs[0]->mod_op = LDAP_MOD_ADD; |
||||
- tmp->attrs[0]->mod_type = (char*)"objectClass"; |
||||
+ tmp->attrs[0]->mod_type = objectClass; |
||||
|
||||
if (flags == DNS_OBJECT) |
||||
- tmp->attrs[0]->mod_values = (char**)objectClasses; |
||||
+ tmp->attrs[0]->mod_values = objectClasses; |
||||
else |
||||
{ |
||||
- tmp->attrs[0]->mod_values = (char**)topObjectClasses; |
||||
+ tmp->attrs[0]->mod_values =topObjectClasses; |
||||
tmp->attrs[1] = NULL; |
||||
tmp->attrcnt = 2; |
||||
tmp->next = ldap_info_base; |
||||
@@ -480,7 +544,7 @@ add_to_rr_list (char *dn, char *name, ch |
||||
} |
||||
|
||||
tmp->attrs[1]->mod_op = LDAP_MOD_ADD; |
||||
- tmp->attrs[1]->mod_type = (char*)"relativeDomainName"; |
||||
+ tmp->attrs[1]->mod_type = relativeDomainName; |
||||
tmp->attrs[1]->mod_values = (char **) calloc (sizeof (char *), 2); |
||||
|
||||
if (tmp->attrs[1]->mod_values == (char **)NULL) |
||||
@@ -502,7 +566,7 @@ add_to_rr_list (char *dn, char *name, ch |
||||
tmp->attrs[2]->mod_values[1] = NULL; |
||||
|
||||
tmp->attrs[3]->mod_op = LDAP_MOD_ADD; |
||||
- tmp->attrs[3]->mod_type = (char*)"dNSTTL"; |
||||
+ tmp->attrs[3]->mod_type = dNSTTL; |
||||
tmp->attrs[3]->mod_values = (char **) calloc (sizeof (char *), 2); |
||||
|
||||
if (tmp->attrs[3]->mod_values == (char **)NULL) |
||||
@@ -512,10 +576,21 @@ add_to_rr_list (char *dn, char *name, ch |
||||
tmp->attrs[3]->mod_values[0] = strdup (charttl); |
||||
tmp->attrs[3]->mod_values[1] = NULL; |
||||
|
||||
+ znlen=strlen(gbl_zone); |
||||
+ if ( *(gbl_zone + (znlen-1)) == '.' ) |
||||
+ { /* ldapdb MUST search by relative zone name */ |
||||
+ zn = (char*)malloc(znlen); |
||||
+ strncpy(zn,gbl_zone,znlen-1); |
||||
+ *(zn + (znlen-1))='\0'; |
||||
+ }else |
||||
+ { |
||||
+ zn = gbl_zone; |
||||
+ } |
||||
+ |
||||
tmp->attrs[4]->mod_op = LDAP_MOD_ADD; |
||||
- tmp->attrs[4]->mod_type = (char*)"zoneName"; |
||||
+ tmp->attrs[4]->mod_type = zoneName; |
||||
tmp->attrs[4]->mod_values = (char **)calloc(sizeof(char *), 2); |
||||
- tmp->attrs[4]->mod_values[0] = gbl_zone; |
||||
+ tmp->attrs[4]->mod_values[0] = zn; |
||||
tmp->attrs[4]->mod_values[1] = NULL; |
||||
|
||||
tmp->attrs[5] = NULL; |
||||
@@ -526,7 +601,7 @@ add_to_rr_list (char *dn, char *name, ch |
||||
else |
||||
{ |
||||
|
||||
- for (i = 0; tmp->attrs[i] != NULL; i++) |
||||
+ for (i = 0; tmp->attrs[i] != NULL; i++) |
||||
{ |
||||
sprintf (ldap_type_buffer, "%sRecord", type); |
||||
if (!strncmp |
||||
@@ -595,69 +670,105 @@ char ** |
||||
hostname_to_dn_list (char *hostname, char *zone, unsigned int flags) |
||||
{ |
||||
char *tmp; |
||||
- static char *dn_buffer[64]; |
||||
int i = 0; |
||||
- char *zname; |
||||
- char *hnamebuff; |
||||
- |
||||
- zname = strdup (hostname); |
||||
- |
||||
- if (flags == DNS_OBJECT) |
||||
- { |
||||
+ char *hname=0L, *last=0L; |
||||
+ int hlen=strlen(hostname), zlen=(strlen(zone)); |
||||
|
||||
- if (strlen (zname) != strlen (zone)) |
||||
- { |
||||
- tmp = &zname[strlen (zname) - strlen (zone)]; |
||||
- *--tmp = '\0'; |
||||
- hnamebuff = strdup (zname); |
||||
- zname = ++tmp; |
||||
- } |
||||
- else |
||||
- hnamebuff = (char*)"@"; |
||||
- } |
||||
- else |
||||
- { |
||||
- zname = zone; |
||||
- hnamebuff = NULL; |
||||
- } |
||||
- |
||||
- for (tmp = strrchr (zname, '.'); tmp != (char *) 0; |
||||
- tmp = strrchr (zname, '.')) |
||||
- { |
||||
- *tmp++ = '\0'; |
||||
- dn_buffer[i++] = tmp; |
||||
- } |
||||
- dn_buffer[i++] = zname; |
||||
- dn_buffer[i++] = hnamebuff; |
||||
+/* printf("hostname: %s zone: %s\n",hostname, zone); */ |
||||
+ hname=0L; |
||||
+ if(flags == DNS_OBJECT) |
||||
+ { |
||||
+ if( (zone[ zlen - 1 ] == '.') && (hostname[hlen - 1] != '.') ) |
||||
+ { |
||||
+ hname=(char*)malloc(hlen + 1); |
||||
+ hlen += 1; |
||||
+ sprintf(hname, "%s.", hostname); |
||||
+ hostname = hname; |
||||
+ } |
||||
+ if(strcmp(hostname, zone) == 0) |
||||
+ { |
||||
+ if( hname == 0 ) |
||||
+ hname=strdup(hostname); |
||||
+ last = strdup(sameZone); |
||||
+ }else |
||||
+ { |
||||
+ if( (hlen < zlen) |
||||
+ ||( strcmp( hostname + (hlen - zlen), zone ) != 0) |
||||
+ ) |
||||
+ { |
||||
+ if( hname != 0 ) |
||||
+ free(hname); |
||||
+ hname=(char*)malloc( hlen + zlen + 1); |
||||
+ if( *zone == '.' ) |
||||
+ sprintf(hname, "%s%s", hostname, zone); |
||||
+ else |
||||
+ sprintf(hname,"%s",zone); |
||||
+ }else |
||||
+ { |
||||
+ if( hname == 0 ) |
||||
+ hname = strdup(hostname); |
||||
+ } |
||||
+ last = hname; |
||||
+ } |
||||
+ }else |
||||
+ { /* flags == DNS_TOP */ |
||||
+ hname = strdup(zone); |
||||
+ last = hname; |
||||
+ } |
||||
+ |
||||
+ for (tmp = strrchr (hname, '.'); tmp != (char *) 0; |
||||
+ tmp = strrchr (hname, '.')) |
||||
+ { |
||||
+ if( *( tmp + 1 ) != '\0' ) |
||||
+ { |
||||
+ *tmp = '\0'; |
||||
+ dn_buffer[i++] = ++tmp; |
||||
+ }else |
||||
+ { /* trailing '.' ! */ |
||||
+ dn_buffer[i++] = strdup("."); |
||||
+ *tmp = '\0'; |
||||
+ if( tmp == hname ) |
||||
+ break; |
||||
+ } |
||||
+ } |
||||
+ if( ( last != hname ) && (tmp != hname) ) |
||||
+ dn_buffer[i++] = hname; |
||||
+ dn_buffer[i++] = last; |
||||
dn_buffer[i] = NULL; |
||||
- |
||||
return dn_buffer; |
||||
} |
||||
|
||||
- |
||||
/* build an sdb compatible LDAP DN from a "dc_list" (char **). |
||||
* will append dNSTTL information to each RR Record, with the |
||||
* exception of "@"/SOA. */ |
||||
|
||||
char * |
||||
-build_dn_from_dc_list (char **dc_list, unsigned int ttl, int flag) |
||||
+build_dn_from_dc_list (char **dc_list, unsigned int ttl, int flag, char *zone) |
||||
{ |
||||
int size; |
||||
- int x; |
||||
+ int x, znlen; |
||||
static char dn[1024]; |
||||
char tmp[128]; |
||||
+ char zn[DNS_NAME_MAXTEXT+1]; |
||||
|
||||
bzero (tmp, sizeof (tmp)); |
||||
bzero (dn, sizeof (dn)); |
||||
size = get_attr_list_size (dc_list); |
||||
+ znlen = strlen(zone); |
||||
+ if ( *(zone + (znlen-1)) == '.' ) |
||||
+ { /* ldapdb MUST search by relative zone name */ |
||||
+ memcpy(&(zn[0]),zone,znlen-1); |
||||
+ *(zn + (znlen-1))='\0'; |
||||
+ zone = zn; |
||||
+ } |
||||
for (x = size - 2; x > 0; x--) |
||||
{ |
||||
if (flag == WI_SPEC) |
||||
{ |
||||
if (x == (size - 2) && (strncmp (dc_list[x], "@", 1) == 0) && (ttl)) |
||||
- sprintf (tmp, "relativeDomainName=%s + dNSTTL=%d,", dc_list[x], ttl); |
||||
+ sprintf (tmp, "zoneName=%s + relativeDomainName=%s,", zone, dc_list[x]); |
||||
else if (x == (size - 2)) |
||||
- sprintf(tmp, "relativeDomainName=%s,",dc_list[x]); |
||||
+ sprintf(tmp, "zoneName=%s + relativeDomainName=%s,", zone, dc_list[x]); |
||||
else |
||||
sprintf(tmp,"dc=%s,", dc_list[x]); |
||||
} |
||||
@@ -683,6 +794,7 @@ void |
||||
init_ldap_conn () |
||||
{ |
||||
int result; |
||||
+ char ldb_tag[]="LDAP Bind"; |
||||
conn = ldap_open (ldapsystem, LDAP_PORT); |
||||
if (conn == NULL) |
||||
{ |
||||
@@ -692,7 +804,7 @@ init_ldap_conn () |
||||
} |
||||
|
||||
result = ldap_simple_bind_s (conn, binddn, bindpw); |
||||
- ldap_result_check ("ldap_simple_bind_s", (char*)"LDAP Bind", result); |
||||
+ ldap_result_check ("ldap_simple_bind_s", ldb_tag , result); |
||||
} |
||||
|
||||
/* Like isc_result_check, only for LDAP */ |
||||
@@ -709,8 +821,6 @@ ldap_result_check (const char *msg, char |
||||
} |
||||
} |
||||
|
||||
- |
||||
- |
||||
/* For running the ldap_info run queue. */ |
||||
void |
||||
add_ldap_values (ldap_info * ldinfo) |
||||
@@ -718,14 +828,14 @@ add_ldap_values (ldap_info * ldinfo) |
||||
int result; |
||||
char dnbuffer[1024]; |
||||
|
||||
- |
||||
if (ldapbase != NULL) |
||||
sprintf (dnbuffer, "%s,%s", ldinfo->dn, ldapbase); |
||||
else |
||||
sprintf (dnbuffer, "%s", ldinfo->dn); |
||||
|
||||
result = ldap_add_s (conn, dnbuffer, ldinfo->attrs); |
||||
- ldap_result_check ("ldap_add_s", dnbuffer, result); |
||||
+ ldap_result_check ("ldap_add_s", dnbuffer, result); |
||||
+ |
||||
} |
||||
|
||||
|
||||
@@ -736,7 +846,7 @@ void |
||||
usage () |
||||
{ |
||||
fprintf (stderr, |
||||
- "zone2ldap -D [BIND DN] -w [BIND PASSWORD] -b [BASE DN] -z [ZONE] -f [ZONE FILE] -h [LDAP HOST]\n" |
||||
+ "zone2ldap -D [BIND DN] [-w BIND PASSWORD | -W:prompt] -b [BASE DN] -z [ZONE] -f [ZONE FILE] -h [LDAP HOST]\n" |
||||
"\t[-c Create LDAP Base structure][-d Debug Output (lots !)]\n " |
||||
); |
||||
} |
@ -0,0 +1,243 @@
@@ -0,0 +1,243 @@
|
||||
--- bind-9.3.2b2/contrib/sdb/ldap/zone2ldap.c.sdbsrc 2005-08-16 00:43:03.000000000 -0400 |
||||
+++ bind-9.3.2b2/contrib/sdb/ldap/zone2ldap.c 2005-11-15 12:57:44.000000000 -0500 |
||||
@@ -59,16 +59,16 @@ |
||||
ldap_info; |
||||
|
||||
/* usage Info */ |
||||
-void usage (); |
||||
+void usage (void); |
||||
|
||||
/* Add to the ldap dit */ |
||||
void add_ldap_values (ldap_info * ldinfo); |
||||
|
||||
/* Init an ldap connection */ |
||||
-void init_ldap_conn (); |
||||
+void init_ldap_conn (void); |
||||
|
||||
/* Ldap error checking */ |
||||
-void ldap_result_check (char *msg, char *dn, int err); |
||||
+void ldap_result_check (const char *msg, char *dn, int err); |
||||
|
||||
/* Put a hostname into a char ** array */ |
||||
char **hostname_to_dn_list (char *hostname, char *zone, unsigned int flags); |
||||
@@ -84,7 +84,7 @@ |
||||
unsigned int ttl, unsigned int flags); |
||||
|
||||
/* Error checking */ |
||||
-void isc_result_check (isc_result_t res, char *errorstr); |
||||
+void isc_result_check (isc_result_t res, const char *errorstr); |
||||
|
||||
/* Generate LDIF Format files */ |
||||
void generate_ldap (dns_name_t * dnsname, dns_rdata_t * rdata, |
||||
@@ -93,11 +93,17 @@ |
||||
/* head pointer to the list */ |
||||
ldap_info *ldap_info_base = NULL; |
||||
|
||||
+ldap_info * |
||||
+locate_by_dn (char *dn); |
||||
+void |
||||
+init_ldap_conn (); |
||||
+void usage(); |
||||
+ |
||||
char *argzone, *ldapbase, *binddn, *bindpw = NULL; |
||||
-char *ldapsystem = "localhost"; |
||||
-static char *objectClasses[] = |
||||
+const char *ldapsystem = "localhost"; |
||||
+static const char *objectClasses[] = |
||||
{ "top", "dNSZone", NULL }; |
||||
-static char *topObjectClasses[] = { "top", NULL }; |
||||
+static const char *topObjectClasses[] = { "top", NULL }; |
||||
LDAP *conn; |
||||
unsigned int debug = 0; |
||||
|
||||
@@ -106,7 +112,7 @@ |
||||
#endif |
||||
|
||||
int |
||||
-main (int *argc, char **argv) |
||||
+main (int argc, char **argv) |
||||
{ |
||||
isc_mem_t *mctx = NULL; |
||||
isc_entropy_t *ectx = NULL; |
||||
@@ -116,7 +122,7 @@ |
||||
LDAPMod *base_attrs[2]; |
||||
LDAPMod base; |
||||
isc_buffer_t buff; |
||||
- char *zonefile; |
||||
+ char *zonefile=0L; |
||||
char fullbasedn[1024]; |
||||
char *ctmp; |
||||
dns_fixedname_t fixedzone, fixedname; |
||||
@@ -280,9 +286,9 @@ |
||||
if ((*ctmp == ',') || (ctmp == &basedn[0])) |
||||
{ |
||||
base.mod_op = LDAP_MOD_ADD; |
||||
- base.mod_type = "objectClass"; |
||||
- base.mod_values = topObjectClasses; |
||||
- base_attrs[0] = &base; |
||||
+ base.mod_type = (char*)"objectClass"; |
||||
+ base.mod_values = (char**)topObjectClasses; |
||||
+ base_attrs[0] = (void*)&base; |
||||
base_attrs[1] = NULL; |
||||
|
||||
if (ldapbase) |
||||
@@ -337,7 +343,7 @@ |
||||
* I should probably rename this function, as not to cause any |
||||
* confusion with the isc* routines. Will exit on error. */ |
||||
void |
||||
-isc_result_check (isc_result_t res, char *errorstr) |
||||
+isc_result_check (isc_result_t res, const char *errorstr) |
||||
{ |
||||
if (res != ISC_R_SUCCESS) |
||||
{ |
||||
@@ -449,7 +455,7 @@ |
||||
exit (-1); |
||||
} |
||||
|
||||
- for (i = 0; i < flags; i++) |
||||
+ for (i = 0; i < (int)flags; i++) |
||||
{ |
||||
tmp->attrs[i] = (LDAPMod *) malloc (sizeof (LDAPMod)); |
||||
if (tmp->attrs[i] == (LDAPMod *) NULL) |
||||
@@ -459,13 +465,13 @@ |
||||
} |
||||
} |
||||
tmp->attrs[0]->mod_op = LDAP_MOD_ADD; |
||||
- tmp->attrs[0]->mod_type = "objectClass"; |
||||
+ tmp->attrs[0]->mod_type = (char*)"objectClass"; |
||||
|
||||
if (flags == DNS_OBJECT) |
||||
- tmp->attrs[0]->mod_values = objectClasses; |
||||
+ tmp->attrs[0]->mod_values = (char**)objectClasses; |
||||
else |
||||
{ |
||||
- tmp->attrs[0]->mod_values = topObjectClasses; |
||||
+ tmp->attrs[0]->mod_values = (char**)topObjectClasses; |
||||
tmp->attrs[1] = NULL; |
||||
tmp->attrcnt = 2; |
||||
tmp->next = ldap_info_base; |
||||
@@ -474,7 +480,7 @@ |
||||
} |
||||
|
||||
tmp->attrs[1]->mod_op = LDAP_MOD_ADD; |
||||
- tmp->attrs[1]->mod_type = "relativeDomainName"; |
||||
+ tmp->attrs[1]->mod_type = (char*)"relativeDomainName"; |
||||
tmp->attrs[1]->mod_values = (char **) calloc (sizeof (char *), 2); |
||||
|
||||
if (tmp->attrs[1]->mod_values == (char **)NULL) |
||||
@@ -496,7 +502,7 @@ |
||||
tmp->attrs[2]->mod_values[1] = NULL; |
||||
|
||||
tmp->attrs[3]->mod_op = LDAP_MOD_ADD; |
||||
- tmp->attrs[3]->mod_type = "dNSTTL"; |
||||
+ tmp->attrs[3]->mod_type = (char*)"dNSTTL"; |
||||
tmp->attrs[3]->mod_values = (char **) calloc (sizeof (char *), 2); |
||||
|
||||
if (tmp->attrs[3]->mod_values == (char **)NULL) |
||||
@@ -507,7 +513,7 @@ |
||||
tmp->attrs[3]->mod_values[1] = NULL; |
||||
|
||||
tmp->attrs[4]->mod_op = LDAP_MOD_ADD; |
||||
- tmp->attrs[4]->mod_type = "zoneName"; |
||||
+ tmp->attrs[4]->mod_type = (char*)"zoneName"; |
||||
tmp->attrs[4]->mod_values = (char **)calloc(sizeof(char *), 2); |
||||
tmp->attrs[4]->mod_values[0] = gbl_zone; |
||||
tmp->attrs[4]->mod_values[1] = NULL; |
||||
@@ -607,7 +613,7 @@ |
||||
zname = ++tmp; |
||||
} |
||||
else |
||||
- hnamebuff = "@"; |
||||
+ hnamebuff = (char*)"@"; |
||||
} |
||||
else |
||||
{ |
||||
@@ -686,12 +692,12 @@ |
||||
} |
||||
|
||||
result = ldap_simple_bind_s (conn, binddn, bindpw); |
||||
- ldap_result_check ("ldap_simple_bind_s", "LDAP Bind", result); |
||||
+ ldap_result_check ("ldap_simple_bind_s", (char*)"LDAP Bind", result); |
||||
} |
||||
|
||||
/* Like isc_result_check, only for LDAP */ |
||||
void |
||||
-ldap_result_check (char *msg, char *dn, int err) |
||||
+ldap_result_check (const char *msg, char *dn, int err) |
||||
{ |
||||
if ((err != LDAP_SUCCESS) && (err != LDAP_ALREADY_EXISTS)) |
||||
{ |
||||
@@ -730,5 +736,8 @@ |
||||
usage () |
||||
{ |
||||
fprintf (stderr, |
||||
- "zone2ldap -D [BIND DN] -w [BIND PASSWORD] -b [BASE DN] -z [ZONE] -f [ZONE FILE] -h [LDAP HOST] |
||||
- [-c Create LDAP Base structure][-d Debug Output (lots !)] \n ");} |
||||
+ "zone2ldap -D [BIND DN] -w [BIND PASSWORD] -b [BASE DN] -z [ZONE] -f [ZONE FILE] -h [LDAP HOST]\n" |
||||
+ "\t[-c Create LDAP Base structure][-d Debug Output (lots !)]\n " |
||||
+ ); |
||||
+} |
||||
+ |
||||
--- bind-9.3.2b2/contrib/sdb/bdb/bdb.c.sdbsrc 2002-07-02 00:45:34.000000000 -0400 |
||||
+++ bind-9.3.2b2/contrib/sdb/bdb/bdb.c 2005-11-15 12:57:44.000000000 -0500 |
||||
@@ -43,7 +43,7 @@ |
||||
#include <dns/lib.h> |
||||
#include <dns/ttl.h> |
||||
|
||||
-#include <named/bdb.h> |
||||
+#include "bdb.h" |
||||
#include <named/globals.h> |
||||
#include <named/config.h> |
||||
|
||||
--- bind-9.3.2b2/contrib/sdb/pgsql/pgsqldb.c.sdbsrc 2004-03-08 04:04:22.000000000 -0500 |
||||
+++ bind-9.3.2b2/contrib/sdb/pgsql/pgsqldb.c 2005-11-15 12:57:44.000000000 -0500 |
||||
@@ -23,7 +23,7 @@ |
||||
#include <string.h> |
||||
#include <stdlib.h> |
||||
|
||||
-#include <pgsql/libpq-fe.h> |
||||
+#include <libpq-fe.h> |
||||
|
||||
#include <isc/mem.h> |
||||
#include <isc/print.h> |
||||
--- bind-9.3.2b2/contrib/sdb/pgsql/zonetodb.c.sdbsrc 2005-09-05 22:12:40.000000000 -0400 |
||||
+++ bind-9.3.2b2/contrib/sdb/pgsql/zonetodb.c 2005-11-15 12:58:12.000000000 -0500 |
||||
@@ -37,7 +37,7 @@ |
||||
#include <dns/rdatatype.h> |
||||
#include <dns/result.h> |
||||
|
||||
-#include <pgsql/libpq-fe.h> |
||||
+#include <libpq-fe.h> |
||||
|
||||
/* |
||||
* Generate a PostgreSQL table from a zone. |
||||
@@ -54,6 +54,9 @@ |
||||
char str[10240]; |
||||
|
||||
void |
||||
+closeandexit(int status); |
||||
+ |
||||
+void |
||||
closeandexit(int status) { |
||||
if (conn != NULL) |
||||
PQfinish(conn); |
||||
@@ -61,6 +64,9 @@ |
||||
} |
||||
|
||||
void |
||||
+check_result(isc_result_t result, const char *message); |
||||
+ |
||||
+void |
||||
check_result(isc_result_t result, const char *message) { |
||||
if (result != ISC_R_SUCCESS) { |
||||
fprintf(stderr, "%s: %s\n", message, |
||||
@@ -84,7 +90,8 @@ |
||||
} |
||||
*dest++ = 0; |
||||
} |
||||
- |
||||
+void |
||||
+addrdata(dns_name_t *name, dns_ttl_t ttl, dns_rdata_t *rdata); |
||||
void |
||||
addrdata(dns_name_t *name, dns_ttl_t ttl, dns_rdata_t *rdata) { |
||||
unsigned char namearray[DNS_NAME_MAXTEXT + 1]; |
@ -0,0 +1,27 @@
@@ -0,0 +1,27 @@
|
||||
--- bind-9.5.0b2/bin/named/Makefile.in.pie 2008-02-11 17:21:47.000000000 +0100 |
||||
+++ bind-9.5.0b2/bin/named/Makefile.in 2008-02-11 17:22:10.000000000 +0100 |
||||
@@ -100,8 +100,12 @@ HTMLPAGES = named.html lwresd.html named |
||||
|
||||
MANOBJS = ${MANPAGES} ${HTMLPAGES} |
||||
|
||||
+EXT_CFLAGS = -fpie |
||||
+ |
||||
@BIND9_MAKE_RULES@ |
||||
|
||||
+LDFLAGS += -pie -Wl,-z,relro,-z,now,-z,nodlopen,-z,noexecstack |
||||
+ |
||||
main.@O@: main.c |
||||
${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \ |
||||
-DVERSION=\"${VERSION}\" \ |
||||
diff -up bind-9.5.0b2/bin/named/unix/Makefile.in.pie bind-9.5.0b2/bin/named/unix/Makefile.in |
||||
--- bind-9.5.0b2/bin/named/unix/Makefile.in.pie 2008-02-11 17:22:21.000000000 +0100 |
||||
+++ bind-9.5.0b2/bin/named/unix/Makefile.in 2008-02-11 17:23:00.000000000 +0100 |
||||
@@ -19,6 +19,8 @@ srcdir = @srcdir@ |
||||
VPATH = @srcdir@ |
||||
top_srcdir = @top_srcdir@ |
||||
|
||||
+EXT_CFLAGS = -fpie |
||||
+ |
||||
@BIND9_MAKE_INCLUDES@ |
||||
|
||||
CINCLUDES = -I${srcdir}/include -I${srcdir}/../include \ |
@ -0,0 +1,70 @@
@@ -0,0 +1,70 @@
|
||||
diff -up bind-9.9.0/contrib/dlz/config.dlz.in.64bit bind-9.9.0/contrib/dlz/config.dlz.in |
||||
--- bind-9.9.0/contrib/dlz/config.dlz.in.64bit 2011-11-05 06:14:28.000000000 +0100 |
||||
+++ bind-9.9.0/contrib/dlz/config.dlz.in 2012-04-24 14:52:08.398511143 +0200 |
||||
@@ -17,6 +17,13 @@ |
||||
# |
||||
dlzdir='${DLZ_DRIVER_DIR}' |
||||
|
||||
+AC_MSG_CHECKING([for target libdir]) |
||||
+AC_RUN_IFELSE([int main(void) {exit((sizeof(void *) == 8) ? 0 : 1);}], |
||||
+ [target_lib=lib64], |
||||
+ [target_lib=lib], |
||||
+) |
||||
+AC_MSG_RESULT(["$target_lib"]) |
||||
+ |
||||
# |
||||
# Private autoconf macro to simplify configuring drivers: |
||||
# |
||||
@@ -135,9 +142,9 @@ then |
||||
then |
||||
use_dlz_mysql=$d |
||||
mysql_include=$d/include/mysql |
||||
- if test -d $d/lib/mysql |
||||
+ if test -d $d/${target_lib}/mysql |
||||
then |
||||
- mysql_lib=$d/lib/mysql |
||||
+ mysql_lib=$d/${target_lib}/mysql |
||||
else |
||||
mysql_lib=$d/lib |
||||
fi |
||||
@@ -274,11 +281,11 @@ case "$use_dlz_bdb" in |
||||
bdb_libnames="db48 db-4.8 db47 db-4.7 db46 db-4.6 db45 db-4.5 db44 db-4.4 db43 db-4.3 db42 db-4.2 db41 db-4.1 db" |
||||
for d in $bdb_libnames |
||||
do |
||||
- if test -f "$dd/lib/lib${d}.so" |
||||
+ if test -f "$dd/${target_lib}/lib${d}.so" |
||||
then |
||||
if test "$dd" != "/usr" |
||||
then |
||||
- dlz_bdb_libs="-L${dd}/lib " |
||||
+ dlz_bdb_libs="-L${dd}/${target_lib} " |
||||
else |
||||
dlz_bdb_libs="" |
||||
fi |
||||
@@ -383,7 +390,7 @@ case "$use_dlz_ldap" in |
||||
*) |
||||
DLZ_ADD_DRIVER(LDAP, dlz_ldap_driver, |
||||
[-I$use_dlz_ldap/include], |
||||
- [-L$use_dlz_ldap/lib -lldap -llber]) |
||||
+ [-L$use_dlz_ldap/${target_lib} -lldap -llber]) |
||||
|
||||
AC_MSG_RESULT( |
||||
[using LDAP from $use_dlz_ldap/lib and $use_dlz_ldap/include]) |
||||
@@ -407,7 +414,7 @@ then |
||||
odbcdirs="/usr /usr/local /usr/pkg" |
||||
for d in $odbcdirs |
||||
do |
||||
- if test -f $d/include/sql.h -a -f $d/lib/libodbc.a |
||||
+ if test -f $d/include/sql.h -a -f $d/${target_lib}/libodbc.a |
||||
then |
||||
use_dlz_odbc=$d |
||||
break |
||||
@@ -427,7 +434,7 @@ case "$use_dlz_odbc" in |
||||
*) |
||||
DLZ_ADD_DRIVER(ODBC, dlz_odbc_driver, |
||||
[-I$use_dlz_odbc/include], |
||||
- [-L$use_dlz_odbc/lib -lodbc]) |
||||
+ [-L$use_dlz_odbc/${target_lib} -lodbc]) |
||||
|
||||
AC_MSG_RESULT([using ODBC from $use_dlz_odbc]) |
||||
;; |
@ -0,0 +1,270 @@
@@ -0,0 +1,270 @@
|
||||
diff -up bind-9.7.0b1/bin/dig/dighost.c.libidn bind-9.7.0b1/bin/dig/dighost.c |
||||
--- bind-9.7.0b1/bin/dig/dighost.c.libidn 2009-09-16 01:48:09.000000000 +0200 |
||||
+++ bind-9.7.0b1/bin/dig/dighost.c 2009-10-20 10:49:26.719056220 +0200 |
||||
@@ -44,6 +44,11 @@ |
||||
#include <idn/api.h> |
||||
#endif |
||||
|
||||
+#ifdef WITH_LIBIDN |
||||
+#include <stringprep.h> |
||||
+#include <idna.h> |
||||
+#endif |
||||
+ |
||||
#include <dns/byaddr.h> |
||||
#ifdef DIG_SIGCHASE |
||||
#include <dns/callbacks.h> |
||||
@@ -153,6 +158,14 @@ static void idn_check_result(idn_result |
||||
int idnoptions = 0; |
||||
#endif |
||||
|
||||
+#ifdef WITH_LIBIDN |
||||
+static isc_result_t libidn_locale_to_utf8 (const char* from, char **to); |
||||
+static isc_result_t libidn_utf8_to_ascii (const char* from, char *to); |
||||
+static isc_result_t output_filter (isc_buffer_t *buffer, |
||||
+ unsigned int used_org, |
||||
+ isc_boolean_t absolute); |
||||
+#endif |
||||
+ |
||||
/*% |
||||
* Exit Codes: |
||||
* |
||||
@@ -1184,6 +1197,9 @@ setup_system(void) { |
||||
dig_searchlist_t *domain = NULL; |
||||
lwres_result_t lwresult; |
||||
unsigned int lwresflags; |
||||
+#ifdef WITH_LIBIDN |
||||
+ isc_result_t result; |
||||
+#endif |
||||
|
||||
debug("setup_system()"); |
||||
|
||||
@@ -1242,8 +1258,15 @@ setup_system(void) { |
||||
|
||||
#ifdef WITH_IDN |
||||
initialize_idn(); |
||||
+ |
||||
+#endif |
||||
+#ifdef WITH_LIBIDN |
||||
+ result = dns_name_settotextfilter(output_filter); |
||||
+ check_result(result, "dns_name_settotextfilter"); |
||||
+#ifdef HAVE_SETLOCALE |
||||
+ setlocale (LC_ALL, ""); |
||||
+#endif |
||||
#endif |
||||
- |
||||
if (keyfile[0] != 0) |
||||
setup_file_key(); |
||||
else if (keysecret[0] != 0) |
||||
@@ -1957,12 +1980,18 @@ setup_lookup(dig_lookup_t *lookup) { |
||||
idn_result_t mr; |
||||
char utf8_textname[MXNAME], utf8_origin[MXNAME], idn_textname[MXNAME]; |
||||
#endif |
||||
+#ifdef WITH_LIBIDN |
||||
+ char *utf8_str = NULL, utf8_name[MXNAME], ascii_name[MXNAME]; |
||||
+#endif |
||||
|
||||
#ifdef WITH_IDN |
||||
result = dns_name_settotextfilter(output_filter); |
||||
check_result(result, "dns_name_settotextfilter"); |
||||
#endif |
||||
- |
||||
+#ifdef WITH_LIBIDN |
||||
+ result = dns_name_settotextfilter (output_filter); |
||||
+ check_result(result, "dns_name_settotextfilter"); |
||||
+#endif |
||||
REQUIRE(lookup != NULL); |
||||
INSIST(!free_now); |
||||
|
||||
@@ -1999,6 +2028,16 @@ setup_lookup(dig_lookup_t *lookup) { |
||||
mr = idn_encodename(IDN_LOCALCONV | IDN_DELIMMAP, lookup->textname, |
||||
utf8_textname, sizeof(utf8_textname)); |
||||
idn_check_result(mr, "convert textname to UTF-8"); |
||||
+#elif defined (WITH_LIBIDN) |
||||
+ result = libidn_locale_to_utf8 (lookup->textname, &utf8_str); |
||||
+ check_result (result, "converting textname to UTF-8"); |
||||
+ len = strlen (utf8_str); |
||||
+ if (len < MXNAME) { |
||||
+ (void) strcpy (utf8_name, utf8_str); |
||||
+ } else { |
||||
+ fatal ("Too long name"); |
||||
+ } |
||||
+ isc_mem_free (mctx, utf8_str); |
||||
#endif |
||||
|
||||
/* |
||||
@@ -2018,6 +2057,15 @@ setup_lookup(dig_lookup_t *lookup) { |
||||
lookup->origin = ISC_LIST_HEAD(search_list); |
||||
lookup->need_search = ISC_FALSE; |
||||
} |
||||
+#elif defined (WITH_LIBIDN) |
||||
+ if ((count_dots(utf8_name) >= ndots) || !usesearch) { |
||||
+ lookup->origin = NULL; /* Force abs lookup */ |
||||
+ lookup->done_as_is = ISC_TRUE; |
||||
+ lookup->need_search = usesearch; |
||||
+ } else if (lookup->origin == NULL && usesearch) { |
||||
+ lookup->origin = ISC_LIST_HEAD(search_list); |
||||
+ lookup->need_search = ISC_FALSE; |
||||
+ } |
||||
#else |
||||
if ((count_dots(lookup->textname) >= ndots) || !usesearch) { |
||||
lookup->origin = NULL; /* Force abs lookup */ |
||||
@@ -2044,6 +2092,20 @@ setup_lookup(dig_lookup_t *lookup) { |
||||
IDN_IDNCONV | IDN_LENCHECK, utf8_textname, |
||||
idn_textname, sizeof(idn_textname)); |
||||
idn_check_result(mr, "convert UTF-8 textname to IDN encoding"); |
||||
+#elif defined (WITH_LIBIDN) |
||||
+ if (lookup->origin != NULL) { |
||||
+ result = libidn_locale_to_utf8 (lookup->origin->origin, &utf8_str); |
||||
+ check_result (result, "convert origin to UTF-8"); |
||||
+ if (len + strlen (utf8_str) + 1 < MXNAME) { |
||||
+ utf8_name[len++] = '.'; |
||||
+ (void) strcpy (utf8_name + len, utf8_str); |
||||
+ } else { |
||||
+ fatal ("Too long name + origin"); |
||||
+ } |
||||
+ isc_mem_free (mctx, utf8_str); |
||||
+ } |
||||
+ |
||||
+ result = libidn_utf8_to_ascii (utf8_name, ascii_name); |
||||
#else |
||||
if (lookup->origin != NULL) { |
||||
debug("trying origin %s", lookup->origin->origin); |
||||
@@ -2099,6 +2161,13 @@ setup_lookup(dig_lookup_t *lookup) { |
||||
result = dns_name_fromtext(lookup->name, &b, |
||||
dns_rootname, 0, |
||||
&lookup->namebuf); |
||||
+#elif defined (WITH_LIBIDN) |
||||
+ len = strlen (ascii_name); |
||||
+ isc_buffer_init(&b, ascii_name, len); |
||||
+ isc_buffer_add(&b, len); |
||||
+ result = dns_name_fromtext(lookup->name, &b, |
||||
+ dns_rootname, 0, |
||||
+ &lookup->namebuf); |
||||
#else |
||||
len = strlen(lookup->textname); |
||||
isc_buffer_init(&b, lookup->textname, len); |
||||
@@ -3617,7 +3686,7 @@ destroy_libs(void) { |
||||
void * ptr; |
||||
dig_message_t *chase_msg; |
||||
#endif |
||||
-#ifdef WITH_IDN |
||||
+#if defined (WITH_IDN) || defined (WITH_LIBIDN) |
||||
isc_result_t result; |
||||
#endif |
||||
|
||||
@@ -3656,6 +3725,10 @@ destroy_libs(void) { |
||||
result = dns_name_settotextfilter(NULL); |
||||
check_result(result, "dns_name_settotextfilter"); |
||||
#endif |
||||
+#ifdef WITH_LIBIDN |
||||
+ result = dns_name_settotextfilter (NULL); |
||||
+ check_result(result, "clearing dns_name_settotextfilter"); |
||||
+#endif |
||||
dns_name_destroy(); |
||||
|
||||
if (commctx != NULL) { |
||||
@@ -3834,6 +3907,79 @@ idn_check_result(idn_result_t r, const c |
||||
} |
||||
} |
||||
#endif /* WITH_IDN */ |
||||
+#ifdef WITH_LIBIDN |
||||
+/* If stringprep_locale_to_utf8 fails simple copy string */ |
||||
+static isc_result_t |
||||
+libidn_locale_to_utf8 (const char *from, char **to) { |
||||
+ char *utf8_str; |
||||
+ |
||||
+ utf8_str = stringprep_locale_to_utf8 (from); |
||||
+ if (utf8_str == NULL) { |
||||
+ *to = isc_mem_allocate (mctx, strlen (from) + 1); |
||||
+ if (*to == NULL) |
||||
+ return (ISC_R_NOMEMORY); |
||||
+ (void) strcpy (*to, from); |
||||
+ } else { |
||||
+ *to = isc_mem_allocate (mctx, strlen (utf8_str) + 1); |
||||
+ if (*to == NULL) |
||||
+ return (ISC_R_NOMEMORY); |
||||
+ (void) strcpy (*to, utf8_str); |
||||
+ free (utf8_str); |
||||
+ } |
||||
+ return (ISC_R_SUCCESS); |
||||
+} |
||||
+static isc_result_t |
||||
+libidn_utf8_to_ascii (const char *from, char *to) { |
||||
+ char *ascii; |
||||
+ |
||||
+ if (idna_to_ascii_8z (from, &ascii, 0) != IDNA_SUCCESS) |
||||
+ return (ISC_R_FAILURE); |
||||
+ |
||||
+ (void) strcpy (to, ascii); |
||||
+ free (ascii); |
||||
+ return (ISC_R_SUCCESS); |
||||
+} |
||||
+/* based on idnkit's code*/ |
||||
+static isc_result_t |
||||
+output_filter (isc_buffer_t *buffer, unsigned int used_org, |
||||
+ isc_boolean_t absolute) { |
||||
+ char tmp1[MXNAME], *tmp2; |
||||
+ size_t fromlen, tolen; |
||||
+ isc_boolean_t end_with_dot; |
||||
+ |
||||
+ fromlen = isc_buffer_usedlength(buffer) - used_org; |
||||
+ if (fromlen >= MXNAME) |
||||
+ return (ISC_R_SUCCESS); |
||||
+ memcpy(tmp1, (char *)isc_buffer_base(buffer) + used_org, fromlen); |
||||
+ end_with_dot = (tmp1[fromlen - 1] == '.') ? ISC_TRUE : ISC_FALSE; |
||||
+ if (absolute && !end_with_dot) { |
||||
+ fromlen++; |
||||
+ if (fromlen >= MXNAME) |
||||
+ return (ISC_R_SUCCESS); |
||||
+ tmp1[fromlen - 1] = '.'; |
||||
+ } |
||||
+ tmp1[fromlen] = '\0'; |
||||
+ |
||||
+ if (idna_to_unicode_lzlz (tmp1, &tmp2, 0) != IDNA_SUCCESS) |
||||
+ return (ISC_R_SUCCESS); |
||||
+ |
||||
+ (void) strcpy (tmp1, tmp2); |
||||
+ free (tmp2); |
||||
+ |
||||
+ tolen = strlen(tmp1); |
||||
+ if (absolute && !end_with_dot && tmp1[tolen - 1] == '.') |
||||
+ tolen--; |
||||
+ |
||||
+ if (isc_buffer_length(buffer) < used_org + tolen) |
||||
+ return (ISC_R_NOSPACE); |
||||
+ |
||||
+ isc_buffer_subtract(buffer, isc_buffer_usedlength(buffer) - used_org); |
||||
+ memcpy(isc_buffer_used(buffer), tmp1, tolen); |
||||
+ isc_buffer_add(buffer, tolen); |
||||
+ |
||||
+ return (ISC_R_SUCCESS); |
||||
+} |
||||
+#endif /* WITH_LIBIDN*/ |
||||
|
||||
#ifdef DIG_SIGCHASE |
||||
void |
||||
diff -up bind-9.7.0b1/bin/dig/Makefile.in.libidn bind-9.7.0b1/bin/dig/Makefile.in |
||||
--- bind-9.7.0b1/bin/dig/Makefile.in.libidn 2009-09-22 10:47:55.000000000 +0200 |
||||
+++ bind-9.7.0b1/bin/dig/Makefile.in 2009-10-20 10:50:06.201543709 +0200 |
||||
@@ -46,10 +46,10 @@ DEPLIBS = ${DNSDEPLIBS} ${BIND9DEPLIBS} |
||||
${LWRESDEPLIBS} |
||||
|
||||
LIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} ${ISCCFGLIBS} \ |
||||
- ${ISCLIBS} @IDNLIBS@ @LIBS@ |
||||
+ ${ISCLIBS} @IDNLIBS@ @LIBS@ -lidn |
||||
|
||||
NOSYMLIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} ${ISCCFGLIBS} \ |
||||
- ${ISCNOSYMLIBS} @IDNLIBS@ @LIBS@ |
||||
+ ${ISCNOSYMLIBS} @IDNLIBS@ @LIBS@ -lidn |
||||
|
||||
SUBDIRS = |
||||
|
||||
@@ -67,6 +67,8 @@ HTMLPAGES = dig.html host.html nslookup. |
||||
|
||||
MANOBJS = ${MANPAGES} ${HTMLPAGES} |
||||
|
||||
+EXT_CFLAGS = -DWITH_LIBIDN |
||||
+ |
||||
@BIND9_MAKE_RULES@ |
||||
|
||||
dig@EXEEXT@: dig.@O@ dighost.@O@ ${UOBJS} ${DEPLIBS} |
@ -0,0 +1,221 @@
@@ -0,0 +1,221 @@
|
||||
diff -up bind-9.5.0b1/bin/dig/dighost.c.libidn2 bind-9.5.0b1/bin/dig/dighost.c |
||||
--- bind-9.5.0b1/bin/dig/dighost.c.libidn2 2007-12-10 13:12:26.000000000 +0100 |
||||
+++ bind-9.5.0b1/bin/dig/dighost.c 2007-12-10 14:21:09.000000000 +0100 |
||||
@@ -153,7 +153,7 @@ int idnoptions = 0; |
||||
#endif |
||||
|
||||
#ifdef WITH_LIBIDN |
||||
-static isc_result_t libidn_locale_to_utf8 (const char* from, char **to); |
||||
+static isc_result_t libidn_locale_to_utf8 (const char* from, char *to); |
||||
static isc_result_t libidn_utf8_to_ascii (const char* from, char *to); |
||||
static isc_result_t output_filter (isc_buffer_t *buffer, |
||||
unsigned int used_org, |
||||
@@ -1764,17 +1764,13 @@ setup_lookup(dig_lookup_t *lookup) { |
||||
char utf8_textname[MXNAME], utf8_origin[MXNAME], idn_textname[MXNAME]; |
||||
#endif |
||||
#ifdef WITH_LIBIDN |
||||
- char *utf8_str = NULL, utf8_name[MXNAME], ascii_name[MXNAME]; |
||||
+ char utf8_str[MXNAME], utf8_name[MXNAME], ascii_name[MXNAME]; |
||||
#endif |
||||
|
||||
-#ifdef WITH_IDN |
||||
+#if defined (WITH_IDN) || defined (WITH_LIBIDN) |
||||
result = dns_name_settotextfilter(output_filter); |
||||
check_result(result, "dns_name_settotextfilter"); |
||||
#endif |
||||
-#ifdef WITH_LIBIDN |
||||
- result = dns_name_settotextfilter (output_filter); |
||||
- check_result(result, "dns_name_settotextfilter"); |
||||
-#endif |
||||
REQUIRE(lookup != NULL); |
||||
INSIST(!free_now); |
||||
|
||||
@@ -1812,15 +1808,13 @@ setup_lookup(dig_lookup_t *lookup) { |
||||
utf8_textname, sizeof(utf8_textname)); |
||||
idn_check_result(mr, "convert textname to UTF-8"); |
||||
#elif defined (WITH_LIBIDN) |
||||
- result = libidn_locale_to_utf8 (lookup->textname, &utf8_str); |
||||
- check_result (result, "converting textname to UTF-8"); |
||||
+ result = libidn_locale_to_utf8 (lookup->textname, utf8_str); |
||||
+ check_result (result, "convert textname to UTF-8"); |
||||
len = strlen (utf8_str); |
||||
- if (len < MXNAME) { |
||||
+ if (len < MXNAME) |
||||
(void) strcpy (utf8_name, utf8_str); |
||||
- } else { |
||||
+ else |
||||
fatal ("Too long name"); |
||||
- } |
||||
- isc_mem_free (mctx, utf8_str); |
||||
#endif |
||||
|
||||
/* |
||||
@@ -1833,24 +1827,11 @@ setup_lookup(dig_lookup_t *lookup) { |
||||
if (lookup->new_search) { |
||||
#ifdef WITH_IDN |
||||
if ((count_dots(utf8_textname) >= ndots) || !usesearch) { |
||||
- lookup->origin = NULL; /* Force abs lookup */ |
||||
- lookup->done_as_is = ISC_TRUE; |
||||
- lookup->need_search = usesearch; |
||||
- } else if (lookup->origin == NULL && usesearch) { |
||||
- lookup->origin = ISC_LIST_HEAD(search_list); |
||||
- lookup->need_search = ISC_FALSE; |
||||
- } |
||||
#elif defined (WITH_LIBIDN) |
||||
if ((count_dots(utf8_name) >= ndots) || !usesearch) { |
||||
- lookup->origin = NULL; /* Force abs lookup */ |
||||
- lookup->done_as_is = ISC_TRUE; |
||||
- lookup->need_search = usesearch; |
||||
- } else if (lookup->origin == NULL && usesearch) { |
||||
- lookup->origin = ISC_LIST_HEAD(search_list); |
||||
- lookup->need_search = ISC_FALSE; |
||||
- } |
||||
#else |
||||
if ((count_dots(lookup->textname) >= ndots) || !usesearch) { |
||||
+#endif |
||||
lookup->origin = NULL; /* Force abs lookup */ |
||||
lookup->done_as_is = ISC_TRUE; |
||||
lookup->need_search = usesearch; |
||||
@@ -1858,7 +1839,6 @@ setup_lookup(dig_lookup_t *lookup) { |
||||
lookup->origin = ISC_LIST_HEAD(search_list); |
||||
lookup->need_search = ISC_FALSE; |
||||
} |
||||
-#endif |
||||
} |
||||
|
||||
#ifdef WITH_IDN |
||||
@@ -1877,15 +1857,12 @@ setup_lookup(dig_lookup_t *lookup) { |
||||
idn_check_result(mr, "convert UTF-8 textname to IDN encoding"); |
||||
#elif defined (WITH_LIBIDN) |
||||
if (lookup->origin != NULL) { |
||||
- result = libidn_locale_to_utf8 (lookup->origin->origin, &utf8_str); |
||||
+ result = libidn_locale_to_utf8 (lookup->origin->origin, utf8_str); |
||||
check_result (result, "convert origin to UTF-8"); |
||||
- if (len + strlen (utf8_str) + 1 < MXNAME) { |
||||
- utf8_name[len++] = '.'; |
||||
+ if (len + strlen (utf8_str) < MXNAME) |
||||
(void) strcpy (utf8_name + len, utf8_str); |
||||
- } else { |
||||
+ else |
||||
fatal ("Too long name + origin"); |
||||
- } |
||||
- isc_mem_free (mctx, utf8_str); |
||||
} |
||||
|
||||
result = libidn_utf8_to_ascii (utf8_name, ascii_name); |
||||
@@ -3600,76 +3577,85 @@ idn_check_result(idn_result_t r, const c |
||||
} |
||||
#endif /* WITH_IDN */ |
||||
#ifdef WITH_LIBIDN |
||||
-/* If stringprep_locale_to_utf8 fails simple copy string */ |
||||
static isc_result_t |
||||
-libidn_locale_to_utf8 (const char *from, char **to) { |
||||
+libidn_locale_to_utf8 (const char *from, char *to) { |
||||
char *utf8_str; |
||||
|
||||
+ debug ("libidn_locale_to_utf8"); |
||||
utf8_str = stringprep_locale_to_utf8 (from); |
||||
- if (utf8_str == NULL) { |
||||
- *to = isc_mem_allocate (mctx, strlen (from) + 1); |
||||
- if (*to == NULL) |
||||
- return (ISC_R_NOMEMORY); |
||||
- (void) strcpy (*to, from); |
||||
- } else { |
||||
- *to = isc_mem_allocate (mctx, strlen (utf8_str) + 1); |
||||
- if (*to == NULL) |
||||
- return (ISC_R_NOMEMORY); |
||||
- (void) strcpy (*to, utf8_str); |
||||
+ if (utf8_str != NULL) { |
||||
+ (void) strcpy (to, utf8_str); |
||||
free (utf8_str); |
||||
+ return ISC_R_SUCCESS; |
||||
} |
||||
- return (ISC_R_SUCCESS); |
||||
+ |
||||
+ debug ("libidn_locale_to_utf8: failure"); |
||||
+ return ISC_R_FAILURE; |
||||
} |
||||
static isc_result_t |
||||
libidn_utf8_to_ascii (const char *from, char *to) { |
||||
char *ascii; |
||||
+ int iresult; |
||||
|
||||
- if (idna_to_ascii_8z (from, &ascii, 0) != IDNA_SUCCESS) |
||||
- return (ISC_R_FAILURE); |
||||
+ debug ("libidn_utf8_to_ascii"); |
||||
+ iresult = idna_to_ascii_8z (from, &ascii, 0); |
||||
+ if (iresult != IDNA_SUCCESS) { |
||||
+ debug ("idna_to_ascii_8z: %s", idna_strerror (iresult)); |
||||
+ return ISC_R_FAILURE; |
||||
+ } |
||||
|
||||
(void) strcpy (to, ascii); |
||||
free (ascii); |
||||
- return (ISC_R_SUCCESS); |
||||
+ return ISC_R_SUCCESS; |
||||
} |
||||
-/* based on idnkit's code*/ |
||||
+ |
||||
static isc_result_t |
||||
output_filter (isc_buffer_t *buffer, unsigned int used_org, |
||||
isc_boolean_t absolute) { |
||||
+ |
||||
char tmp1[MXNAME], *tmp2; |
||||
size_t fromlen, tolen; |
||||
isc_boolean_t end_with_dot; |
||||
+ int iresult; |
||||
+ |
||||
+ debug ("output_filter"); |
||||
|
||||
- fromlen = isc_buffer_usedlength(buffer) - used_org; |
||||
+ fromlen = isc_buffer_usedlength (buffer) - used_org; |
||||
if (fromlen >= MXNAME) |
||||
- return (ISC_R_SUCCESS); |
||||
- memcpy(tmp1, (char *)isc_buffer_base(buffer) + used_org, fromlen); |
||||
+ return ISC_R_SUCCESS; |
||||
+ memcpy (tmp1, (char *) isc_buffer_base (buffer) + used_org, fromlen); |
||||
end_with_dot = (tmp1[fromlen - 1] == '.') ? ISC_TRUE : ISC_FALSE; |
||||
if (absolute && !end_with_dot) { |
||||
fromlen++; |
||||
if (fromlen >= MXNAME) |
||||
- return (ISC_R_SUCCESS); |
||||
+ return ISC_R_SUCCESS; |
||||
tmp1[fromlen - 1] = '.'; |
||||
} |
||||
tmp1[fromlen] = '\0'; |
||||
|
||||
- if (idna_to_unicode_lzlz (tmp1, &tmp2, 0) != IDNA_SUCCESS) |
||||
- return (ISC_R_SUCCESS); |
||||
+ iresult = idna_to_unicode_8z8z (tmp1, &tmp2, 0); |
||||
+ if (iresult != IDNA_SUCCESS) { |
||||
+ debug ("output_filter: %s", idna_strerror (iresult)); |
||||
+ return ISC_R_SUCCESS; |
||||
+ } |
||||
|
||||
(void) strcpy (tmp1, tmp2); |
||||
free (tmp2); |
||||
|
||||
- tolen = strlen(tmp1); |
||||
+ tolen = strlen (tmp1); |
||||
if (absolute && !end_with_dot && tmp1[tolen - 1] == '.') |
||||
tolen--; |
||||
|
||||
- if (isc_buffer_length(buffer) < used_org + tolen) |
||||
- return (ISC_R_NOSPACE); |
||||
+ if (isc_buffer_length (buffer) < used_org + tolen) |
||||
+ return ISC_R_NOSPACE; |
||||
+ |
||||
+ debug ("%s", tmp1); |
||||
|
||||
- isc_buffer_subtract(buffer, isc_buffer_usedlength(buffer) - used_org); |
||||
- memcpy(isc_buffer_used(buffer), tmp1, tolen); |
||||
- isc_buffer_add(buffer, tolen); |
||||
+ isc_buffer_subtract (buffer, isc_buffer_usedlength (buffer) - used_org); |
||||
+ memcpy (isc_buffer_used (buffer), tmp1, tolen); |
||||
+ isc_buffer_add (buffer, tolen); |
||||
|
||||
- return (ISC_R_SUCCESS); |
||||
+ return ISC_R_SUCCESS; |
||||
} |
||||
#endif /* WITH_LIBIDN*/ |
||||
|
@ -0,0 +1,21 @@
@@ -0,0 +1,21 @@
|
||||
diff -up bind-9.5.0b1/bin/dig/dighost.c.libidn3 bind-9.5.0b1/bin/dig/dighost.c |
||||
--- bind-9.5.0b1/bin/dig/dighost.c.libidn3 2007-12-20 13:24:27.000000000 +0100 |
||||
+++ bind-9.5.0b1/bin/dig/dighost.c 2007-12-20 13:27:10.000000000 +0100 |
||||
@@ -1859,10 +1859,13 @@ setup_lookup(dig_lookup_t *lookup) { |
||||
if (lookup->origin != NULL) { |
||||
result = libidn_locale_to_utf8 (lookup->origin->origin, utf8_str); |
||||
check_result (result, "convert origin to UTF-8"); |
||||
- if (len + strlen (utf8_str) < MXNAME) |
||||
- (void) strcpy (utf8_name + len, utf8_str); |
||||
- else |
||||
- fatal ("Too long name + origin"); |
||||
+ if (len > 0 && utf8_name[len - 1] != '.') { |
||||
+ utf8_name[len++] = '.'; |
||||
+ if (len + strlen (utf8_str) < MXNAME) |
||||
+ (void) strcpy (utf8_name + len, utf8_str); |
||||
+ else |
||||
+ fatal ("Too long name + origin"); |
||||
+ } |
||||
} |
||||
|
||||
result = libidn_utf8_to_ascii (utf8_name, ascii_name); |
@ -0,0 +1,14 @@
@@ -0,0 +1,14 @@
|
||||
diff -up bind-9.5.0b1/lib/dns/Makefile.in.parallel bind-9.5.0b1/lib/dns/Makefile.in |
||||
--- bind-9.5.0b1/lib/dns/Makefile.in.parallel 2008-01-17 18:27:38.000000000 +0100 |
||||
+++ bind-9.5.0b1/lib/dns/Makefile.in 2008-01-17 18:27:45.000000000 +0100 |
||||
@@ -19,10 +19,6 @@ srcdir = @srcdir@ |
||||
VPATH = @srcdir@ |
||||
top_srcdir = @top_srcdir@ |
||||
|
||||
-# Attempt to disable parallel processing. |
||||
-.NOTPARALLEL: |
||||
-.NO_PARALLEL: |
||||
- |
||||
@BIND9_VERSION@ |
||||
|
||||
@LIBDNS_API@ |
@ -0,0 +1,102 @@
@@ -0,0 +1,102 @@
|
||||
diff -up bind-9.8.1rc1/bin/named-sdb/main.c.sdb-sqlite-bld bind-9.8.1rc1/bin/named-sdb/main.c |
||||
--- bind-9.8.1rc1/bin/named-sdb/main.c.sdb-sqlite-bld 2011-08-31 14:41:15.646020840 +0200 |
||||
+++ bind-9.8.1rc1/bin/named-sdb/main.c 2011-08-31 14:41:35.132019452 +0200 |
||||
@@ -85,6 +85,7 @@ |
||||
/* #include "xxdb.h" */ |
||||
#include "ldapdb.h" |
||||
#include "pgsqldb.h" |
||||
+#include "sqlitedb.h" |
||||
#include "dirdb.h" |
||||
|
||||
#ifdef CONTRIB_DLZ |
||||
@@ -792,6 +793,7 @@ setup(void) { |
||||
|
||||
ldapdb_clear(); |
||||
pgsqldb_clear(); |
||||
+ sqlitedb_clear(); |
||||
dirdb_clear(); |
||||
|
||||
isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN, |
||||
@@ -921,6 +923,23 @@ setup(void) { |
||||
ISC_LOG_NOTICE, "SDB postgreSQL DB zone database module loaded." |
||||
); |
||||
|
||||
+ result = sqlitedb_init(); |
||||
+ if (result != ISC_R_SUCCESS) |
||||
+ { |
||||
+ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN, |
||||
+ ISC_LOG_ERROR, |
||||
+ "SDB sqlite3 module initialisation failed: %s.", |
||||
+ isc_result_totext(result) |
||||
+ ); |
||||
+ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN, |
||||
+ ISC_LOG_ERROR, |
||||
+ "SDB sqlite3 zone database will be unavailable." |
||||
+ ); |
||||
+ }else |
||||
+ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN, |
||||
+ ISC_LOG_NOTICE, "SDB sqlite3 DB zone database module loaded." |
||||
+ ); |
||||
+ |
||||
result = dirdb_init(); |
||||
if (result != ISC_R_SUCCESS) |
||||
{ |
||||
@@ -971,6 +990,7 @@ cleanup(void) { |
||||
|
||||
ldapdb_clear(); |
||||
pgsqldb_clear(); |
||||
+ sqlitedb_clear(); |
||||
dirdb_clear(); |
||||
|
||||
isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN, |
||||
diff -up bind-9.8.1rc1/bin/named-sdb/Makefile.in.sdb-sqlite-bld bind-9.8.1rc1/bin/named-sdb/Makefile.in |
||||
--- bind-9.8.1rc1/bin/named-sdb/Makefile.in.sdb-sqlite-bld 2011-08-31 14:41:15.646020840 +0200 |
||||
+++ bind-9.8.1rc1/bin/named-sdb/Makefile.in 2011-08-31 14:41:15.658020839 +0200 |
||||
@@ -28,10 +28,10 @@ top_srcdir = @top_srcdir@ |
||||
# |
||||
# Add database drivers here. |
||||
# |
||||
-DBDRIVER_OBJS = ldapdb.@O@ pgsqldb.@O@ dirdb.@O@ |
||||
-DBDRIVER_SRCS = ldapdb.c pgsqldb.c dirdb.c |
||||
+DBDRIVER_OBJS = ldapdb.@O@ pgsqldb.@O@ sqlitedb.@O@ dirdb.@O@ |
||||
+DBDRIVER_SRCS = ldapdb.c pgsqldb.c sqlitedb.c dirdb.c |
||||
DBDRIVER_INCLUDES = |
||||
-DBDRIVER_LIBS = -lldap -llber -lpq |
||||
+DBDRIVER_LIBS = -lldap -llber -lpq -lsqlite3 |
||||
|
||||
DLZ_DRIVER_DIR = ${top_srcdir}/contrib/dlz/drivers |
||||
|
||||
diff -up bind-9.8.1rc1/bin/sdb_tools/Makefile.in.sdb-sqlite-bld bind-9.8.1rc1/bin/sdb_tools/Makefile.in |
||||
--- bind-9.8.1rc1/bin/sdb_tools/Makefile.in.sdb-sqlite-bld 2011-08-31 14:41:15.651020840 +0200 |
||||
+++ bind-9.8.1rc1/bin/sdb_tools/Makefile.in 2011-08-31 14:41:15.658020839 +0200 |
||||
@@ -32,11 +32,11 @@ DEPLIBS = ${LWRESDEPLIBS} ${DNSDEPLIBS} |
||||
LIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \ |
||||
${ISCCFGLIBS} ${ISCCCLIBS} ${ISCLIBS} ${DBDRIVER_LIBS} @LIBS@ |
||||
|
||||
-TARGETS = zone2ldap@EXEEXT@ ldap2zone@EXEEXT@ zonetodb@EXEEXT@ |
||||
+TARGETS = zone2ldap@EXEEXT@ ldap2zone@EXEEXT@ zonetodb@EXEEXT@ zone2sqlite@EXEEXT@ |
||||
|
||||
-OBJS = zone2ldap.@O@ ldap2zone.@O@ zonetodb.@O@ |
||||
+OBJS = zone2ldap.@O@ ldap2zone.@O@ zonetodb.@O@ zone2sqlite.@O@ |
||||
|
||||
-SRCS = zone2ldap.c ldap2zone.c zonetodb.c |
||||
+SRCS = zone2ldap.c ldap2zone.c zonetodb.c zone2sqlite.c |
||||
|
||||
MANPAGES = zone2ldap.1 |
||||
|
||||
@@ -50,6 +50,9 @@ zone2ldap@EXEEXT@: zone2ldap.@O@ ${DEPLI |
||||
zonetodb@EXEEXT@: zonetodb.@O@ ${DEPLIBS} |
||||
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ zonetodb.@O@ -lpq ${LIBS} |
||||
|
||||
+zone2sqlite@EXEEXT@: zone2sqlite.@O@ ${DEPLIBS} |
||||
+ ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o $@ zone2sqlite.@O@ -lsqlite3 -lssl ${LIBS} |
||||
+ |
||||
ldap2zone@EXEEXT@: ldap2zone.@O@ ${DEPLIBS} |
||||
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o $@ ldap2zone.@O@ -lldap -llber ${LIBS} |
||||
|
||||
@@ -64,4 +67,5 @@ install:: ${TARGETS} installdirs |
||||
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} zone2ldap@EXEEXT@ ${DESTDIR}${sbindir} |
||||
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} ldap2zone@EXEEXT@ ${DESTDIR}${sbindir} |
||||
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} zonetodb@EXEEXT@ ${DESTDIR}${sbindir} |
||||
+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} zone2sqlite@EXEEXT@ ${DESTDIR}${sbindir} |
||||
${INSTALL_DATA} ${srcdir}/zone2ldap.1 ${DESTDIR}${mandir}/man1/zone2ldap.1 |
@ -0,0 +1,239 @@
@@ -0,0 +1,239 @@
|
||||
diff --git a/bin/Makefile.in b/bin/Makefile.in |
||||
index 187ec23..e6179e7 100644 |
||||
--- a/bin/Makefile.in |
||||
+++ b/bin/Makefile.in |
||||
@@ -19,8 +19,8 @@ srcdir = @srcdir@ |
||||
VPATH = @srcdir@ |
||||
top_srcdir = @top_srcdir@ |
||||
|
||||
-SUBDIRS = named named-pkcs11 rndc dig dnssec dnssec-pkcs11 tools tests nsupdate \ |
||||
- check confgen @PYTHON_TOOLS@ @PKCS11_TOOLS@ |
||||
+SUBDIRS = named named-pkcs11 named-sdb rndc dig dnssec dnssec-pkcs11 tools tests nsupdate \ |
||||
+ check confgen @PYTHON_TOOLS@ @PKCS11_TOOLS@ sdb_tools |
||||
TARGETS = |
||||
|
||||
@BIND9_MAKE_RULES@ |
||||
diff --git a/bin/named-sdb/Makefile.in b/bin/named-sdb/Makefile.in |
||||
index bc5be2a..71324d9 100644 |
||||
--- a/bin/named-sdb/Makefile.in |
||||
+++ b/bin/named-sdb/Makefile.in |
||||
@@ -34,10 +34,10 @@ top_srcdir = @top_srcdir@ |
||||
# |
||||
# Add database drivers here. |
||||
# |
||||
-DBDRIVER_OBJS = |
||||
-DBDRIVER_SRCS = |
||||
+DBDRIVER_OBJS = ldapdb.@O@ pgsqldb.@O@ dirdb.@O@ |
||||
+DBDRIVER_SRCS = ldapdb.c pgsqldb.c dirdb.c |
||||
DBDRIVER_INCLUDES = |
||||
-DBDRIVER_LIBS = |
||||
+DBDRIVER_LIBS = -lldap -llber -lpq |
||||
|
||||
DLZ_DRIVER_DIR = ${top_srcdir}/contrib/dlz/drivers |
||||
|
||||
@@ -83,7 +83,7 @@ NOSYMLIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \ |
||||
|
||||
SUBDIRS = unix |
||||
|
||||
-TARGETS = named@EXEEXT@ lwresd@EXEEXT@ |
||||
+TARGETS = named-sdb@EXEEXT@ |
||||
|
||||
GEOIPLINKOBJS = geoip.@O@ |
||||
|
||||
@@ -146,7 +146,7 @@ config.@O@: config.c bind.keys.h |
||||
-DNS_SYSCONFDIR=\"${sysconfdir}\" \ |
||||
-c ${srcdir}/config.c |
||||
|
||||
-named@EXEEXT@: ${OBJS} ${UOBJS} ${DEPLIBS} |
||||
+named-sdb@EXEEXT@: ${OBJS} ${UOBJS} ${DEPLIBS} |
||||
export MAKE_SYMTABLE="yes"; \ |
||||
export BASEOBJS="${OBJS} ${UOBJS}"; \ |
||||
${FINALBUILDCMD} |
||||
@@ -177,15 +177,9 @@ statschannel.@O@: bind9.xsl.h bind9.ver3.xsl.h |
||||
|
||||
installdirs: |
||||
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir} |
||||
- $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man5 |
||||
- $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8 |
||||
- |
||||
-install:: named@EXEEXT@ lwresd@EXEEXT@ installdirs |
||||
- ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named@EXEEXT@ ${DESTDIR}${sbindir} |
||||
- (cd ${DESTDIR}${sbindir}; rm -f lwresd@EXEEXT@; @LN@ named@EXEEXT@ lwresd@EXEEXT@) |
||||
- ${INSTALL_DATA} ${srcdir}/named.8 ${DESTDIR}${mandir}/man8 |
||||
- ${INSTALL_DATA} ${srcdir}/lwresd.8 ${DESTDIR}${mandir}/man8 |
||||
- ${INSTALL_DATA} ${srcdir}/named.conf.5 ${DESTDIR}${mandir}/man5 |
||||
+ |
||||
+install:: named-sdb@EXEEXT@ installdirs |
||||
+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named-sdb@EXEEXT@ ${DESTDIR}${sbindir} |
||||
|
||||
@DLZ_DRIVER_RULES@ |
||||
|
||||
diff --git a/bin/named-sdb/main.c b/bin/named-sdb/main.c |
||||
index a00687f..4fba625 100644 |
||||
--- a/bin/named-sdb/main.c |
||||
+++ b/bin/named-sdb/main.c |
||||
@@ -86,6 +86,9 @@ |
||||
* Include header files for database drivers here. |
||||
*/ |
||||
/* #include "xxdb.h" */ |
||||
+#include "ldapdb.h" |
||||
+#include "pgsqldb.h" |
||||
+#include "dirdb.h" |
||||
|
||||
#ifdef CONTRIB_DLZ |
||||
/* |
||||
@@ -817,6 +820,10 @@ setup(void) { |
||||
ns_main_earlyfatal("isc_app_start() failed: %s", |
||||
isc_result_totext(result)); |
||||
|
||||
+ ldapdb_clear(); |
||||
+ pgsqldb_clear(); |
||||
+ dirdb_clear(); |
||||
+ |
||||
isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN, |
||||
ISC_LOG_NOTICE, "starting %s %s%s", ns_g_product, |
||||
ns_g_version, saved_command_line); |
||||
@@ -929,6 +936,57 @@ setup(void) { |
||||
isc_result_totext(result)); |
||||
#endif |
||||
|
||||
+ result = ldapdb_init(); |
||||
+ if (result != ISC_R_SUCCESS) |
||||
+ { |
||||
+ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN, |
||||
+ ISC_LOG_ERROR, |
||||
+ "SDB ldap module initialisation failed: %s.", |
||||
+ isc_result_totext(result) |
||||
+ ); |
||||
+ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN, |
||||
+ ISC_LOG_ERROR, |
||||
+ "SDB ldap zone database will be unavailable." |
||||
+ ); |
||||
+ }else |
||||
+ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN, |
||||
+ ISC_LOG_NOTICE, "SDB ldap zone database module loaded." |
||||
+ ); |
||||
+ |
||||
+ result = pgsqldb_init(); |
||||
+ if (result != ISC_R_SUCCESS) |
||||
+ { |
||||
+ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN, |
||||
+ ISC_LOG_ERROR, |
||||
+ "SDB pgsql module initialisation failed: %s.", |
||||
+ isc_result_totext(result) |
||||
+ ); |
||||
+ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN, |
||||
+ ISC_LOG_ERROR, |
||||
+ "SDB pgsql zone database will be unavailable." |
||||
+ ); |
||||
+ }else |
||||
+ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN, |
||||
+ ISC_LOG_NOTICE, "SDB postgreSQL DB zone database module loaded." |
||||
+ ); |
||||
+ |
||||
+ result = dirdb_init(); |
||||
+ if (result != ISC_R_SUCCESS) |
||||
+ { |
||||
+ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN, |
||||
+ ISC_LOG_ERROR, |
||||
+ "SDB directory DB module initialisation failed: %s.", |
||||
+ isc_result_totext(result) |
||||
+ ); |
||||
+ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN, |
||||
+ ISC_LOG_ERROR, |
||||
+ "SDB directory DB zone database will be unavailable." |
||||
+ ); |
||||
+ }else |
||||
+ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN, |
||||
+ ISC_LOG_NOTICE, "SDB directory DB zone database module loaded." |
||||
+ ); |
||||
+ |
||||
ns_server_create(ns_g_mctx, &ns_g_server); |
||||
} |
||||
|
||||
@@ -960,6 +1018,10 @@ cleanup(void) { |
||||
|
||||
dns_name_destroy(); |
||||
|
||||
+ ldapdb_clear(); |
||||
+ pgsqldb_clear(); |
||||
+ dirdb_clear(); |
||||
+ |
||||
isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN, |
||||
ISC_LOG_NOTICE, "exiting"); |
||||
ns_log_shutdown(); |
||||
diff --git a/bin/named/Makefile.in b/bin/named/Makefile.in |
||||
index bc5be2a..3c69c9b 100644 |
||||
--- a/bin/named/Makefile.in |
||||
+++ b/bin/named/Makefile.in |
||||
@@ -51,7 +51,7 @@ CINCLUDES = -I${srcdir}/include -I${srcdir}/unix/include -I. \ |
||||
${ISCCFG_INCLUDES} ${ISCCC_INCLUDES} ${ISC_INCLUDES} \ |
||||
${DLZDRIVER_INCLUDES} ${DBDRIVER_INCLUDES} @DST_OPENSSL_INC@ |
||||
|
||||
-CDEFINES = @CONTRIB_DLZ@ @CRYPTO@ |
||||
+CDEFINES = @CRYPTO@ |
||||
|
||||
CWARNINGS = |
||||
|
||||
@@ -75,11 +75,11 @@ DEPLIBS = ${LWRESDEPLIBS} ${DNSDEPLIBS} ${BIND9DEPLIBS} \ |
||||
|
||||
LIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \ |
||||
${ISCCFGLIBS} ${ISCCCLIBS} ${ISCLIBS} \ |
||||
- ${DLZDRIVER_LIBS} ${DBDRIVER_LIBS} @LIBS@ |
||||
+ @LIBS@ |
||||
|
||||
NOSYMLIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \ |
||||
${ISCCFGLIBS} ${ISCCCLIBS} ${ISCNOSYMLIBS} \ |
||||
- ${DLZDRIVER_LIBS} ${DBDRIVER_LIBS} @LIBS@ |
||||
+ @LIBS@ |
||||
|
||||
SUBDIRS = unix |
||||
|
||||
@@ -94,8 +94,7 @@ OBJS = builtin.@O@ client.@O@ config.@O@ control.@O@ \ |
||||
tkeyconf.@O@ tsigconf.@O@ update.@O@ xfrout.@O@ \ |
||||
zoneconf.@O@ \ |
||||
lwaddr.@O@ lwresd.@O@ lwdclient.@O@ lwderror.@O@ lwdgabn.@O@ \ |
||||
- lwdgnba.@O@ lwdgrbn.@O@ lwdnoop.@O@ lwsearch.@O@ \ |
||||
- ${DLZDRIVER_OBJS} ${DBDRIVER_OBJS} |
||||
+ lwdgnba.@O@ lwdgrbn.@O@ lwdnoop.@O@ lwsearch.@O@ |
||||
|
||||
UOBJS = unix/os.@O@ unix/dlz_dlopen_driver.@O@ |
||||
|
||||
@@ -110,8 +109,7 @@ SRCS = builtin.c client.c config.c control.c \ |
||||
tkeyconf.c tsigconf.c update.c xfrout.c \ |
||||
zoneconf.c \ |
||||
lwaddr.c lwresd.c lwdclient.c lwderror.c lwdgabn.c \ |
||||
- lwdgnba.c lwdgrbn.c lwdnoop.c lwsearch.c \ |
||||
- ${DLZDRIVER_SRCS} ${DBDRIVER_SRCS} |
||||
+ lwdgnba.c lwdgrbn.c lwdnoop.c lwsearch.c |
||||
|
||||
MANPAGES = named.8 lwresd.8 named.conf.5 |
||||
|
||||
@@ -187,7 +185,5 @@ install:: named@EXEEXT@ lwresd@EXEEXT@ installdirs |
||||
${INSTALL_DATA} ${srcdir}/lwresd.8 ${DESTDIR}${mandir}/man8 |
||||
${INSTALL_DATA} ${srcdir}/named.conf.5 ${DESTDIR}${mandir}/man5 |
||||
|
||||
-@DLZ_DRIVER_RULES@ |
||||
- |
||||
named-symtbl.@O@: named-symtbl.c |
||||
${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -c named-symtbl.c |
||||
diff --git a/configure.in b/configure.in |
||||
index 9bb9a2a..d72093f 100644 |
||||
--- a/configure.in |
||||
+++ b/configure.in |
||||
@@ -4018,12 +4018,15 @@ AC_CONFIG_FILES([ |
||||
bin/named-pkcs11/Makefile |
||||
bin/named-pkcs11/unix/Makefile |
||||
bin/named/unix/Makefile |
||||
+ bin/named-sdb/Makefile |
||||
+ bin/named-sdb/unix/Makefile |
||||
bin/nsupdate/Makefile |
||||
bin/pkcs11/Makefile |
||||
bin/python/Makefile |
||||
bin/python/dnssec-checkds.py |
||||
bin/python/dnssec-coverage.py |
||||
bin/rndc/Makefile |
||||
+ bin/sdb_tools/Makefile |
||||
bin/tests/Makefile |
||||
bin/tests/atomic/Makefile |
||||
bin/tests/db/Makefile |
File diff suppressed because it is too large
Load Diff
@ -0,0 +1,740 @@
@@ -0,0 +1,740 @@
|
||||
diff --git a/bin/Makefile.in b/bin/Makefile.in |
||||
index 87ca5b2..187ec23 100644 |
||||
--- a/bin/Makefile.in |
||||
+++ b/bin/Makefile.in |
||||
@@ -19,7 +19,7 @@ srcdir = @srcdir@ |
||||
VPATH = @srcdir@ |
||||
top_srcdir = @top_srcdir@ |
||||
|
||||
-SUBDIRS = named rndc dig dnssec tools tests nsupdate \ |
||||
+SUBDIRS = named named-pkcs11 rndc dig dnssec dnssec-pkcs11 tools tests nsupdate \ |
||||
check confgen @PYTHON_TOOLS@ @PKCS11_TOOLS@ |
||||
TARGETS = |
||||
|
||||
diff --git a/bin/dnssec-pkcs11/Makefile.in b/bin/dnssec-pkcs11/Makefile.in |
||||
index 64e1846..7846662 100644 |
||||
--- a/bin/dnssec-pkcs11/Makefile.in |
||||
+++ b/bin/dnssec-pkcs11/Makefile.in |
||||
@@ -23,18 +23,18 @@ top_srcdir = @top_srcdir@ |
||||
|
||||
@BIND9_MAKE_INCLUDES@ |
||||
|
||||
-CINCLUDES = ${DNS_INCLUDES} ${ISC_INCLUDES} |
||||
+CINCLUDES = ${DNS_PKCS11_INCLUDES} ${ISC_PKCS11_INCLUDES} |
||||
|
||||
CDEFINES = -DVERSION=\"${VERSION}\" @USE_PKCS11@ @PKCS11_ENGINE@ \ |
||||
- @CRYPTO@ -DPK11_LIB_LOCATION=\"@PKCS11_PROVIDER@\" |
||||
+ @CRYPTO_PK11@ -DPK11_LIB_LOCATION=\"@PKCS11_PROVIDER@\" |
||||
CWARNINGS = |
||||
|
||||
-DNSLIBS = ../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@ |
||||
-ISCLIBS = ../../lib/isc/libisc.@A@ |
||||
-ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@ |
||||
+DNSLIBS = ../../lib/dns-pkcs11/libdns-pkcs11.@A@ @DNS_CRYPTO_PK11_LIBS@ |
||||
+ISCLIBS = ../../lib/isc-pkcs11/libisc-pkcs11.@A@ |
||||
+ISCNOSYMLIBS = ../../lib/isc-pkcs11/libisc-pkcs11-nosymtbl.@A@ |
||||
|
||||
-DNSDEPLIBS = ../../lib/dns/libdns.@A@ |
||||
-ISCDEPLIBS = ../../lib/isc/libisc.@A@ |
||||
+DNSDEPLIBS = ../../lib/dns-pkcs11/libdns-pkcs11.@A@ |
||||
+ISCDEPLIBS = ../../lib/isc-pkcs11/libisc-pkcs11.@A@ |
||||
|
||||
DEPLIBS = ${DNSDEPLIBS} ${ISCDEPLIBS} |
||||
|
||||
@@ -43,10 +43,10 @@ LIBS = ${DNSLIBS} ${ISCLIBS} @LIBS@ |
||||
NOSYMLIBS = ${DNSLIBS} ${ISCNOSYMLIBS} @LIBS@ |
||||
|
||||
# Alphabetically |
||||
-TARGETS = dnssec-keygen@EXEEXT@ dnssec-signzone@EXEEXT@ \ |
||||
- dnssec-keyfromlabel@EXEEXT@ dnssec-dsfromkey@EXEEXT@ \ |
||||
- dnssec-revoke@EXEEXT@ dnssec-settime@EXEEXT@ \ |
||||
- dnssec-verify@EXEEXT@ dnssec-importkey@EXEEXT@ |
||||
+TARGETS = dnssec-keygen-pkcs11@EXEEXT@ dnssec-signzone-pkcs11@EXEEXT@ \ |
||||
+ dnssec-keyfromlabel-pkcs11@EXEEXT@ dnssec-dsfromkey-pkcs11@EXEEXT@ \ |
||||
+ dnssec-revoke-pkcs11@EXEEXT@ dnssec-settime-pkcs11@EXEEXT@ \ |
||||
+ dnssec-verify-pkcs11@EXEEXT@ dnssec-importkey-pkcs11@EXEEXT@ |
||||
|
||||
OBJS = dnssectool.@O@ |
||||
|
||||
@@ -67,15 +67,15 @@ MANOBJS = ${MANPAGES} ${HTMLPAGES} |
||||
|
||||
@BIND9_MAKE_RULES@ |
||||
|
||||
-dnssec-dsfromkey@EXEEXT@: dnssec-dsfromkey.@O@ ${OBJS} ${DEPLIBS} |
||||
+dnssec-dsfromkey-pkcs11@EXEEXT@: dnssec-dsfromkey.@O@ ${OBJS} ${DEPLIBS} |
||||
export BASEOBJS="dnssec-dsfromkey.@O@ ${OBJS}"; \ |
||||
${FINALBUILDCMD} |
||||
|
||||
-dnssec-keyfromlabel@EXEEXT@: dnssec-keyfromlabel.@O@ ${OBJS} ${DEPLIBS} |
||||
+dnssec-keyfromlabel-pkcs11@EXEEXT@: dnssec-keyfromlabel.@O@ ${OBJS} ${DEPLIBS} |
||||
export BASEOBJS="dnssec-keyfromlabel.@O@ ${OBJS}"; \ |
||||
${FINALBUILDCMD} |
||||
|
||||
-dnssec-keygen@EXEEXT@: dnssec-keygen.@O@ ${OBJS} ${DEPLIBS} |
||||
+dnssec-keygen-pkcs11@EXEEXT@: dnssec-keygen.@O@ ${OBJS} ${DEPLIBS} |
||||
export BASEOBJS="dnssec-keygen.@O@ ${OBJS}"; \ |
||||
${FINALBUILDCMD} |
||||
|
||||
@@ -83,7 +83,7 @@ dnssec-signzone.@O@: dnssec-signzone.c |
||||
${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -DVERSION=\"${VERSION}\" \ |
||||
-c ${srcdir}/dnssec-signzone.c |
||||
|
||||
-dnssec-signzone@EXEEXT@: dnssec-signzone.@O@ ${OBJS} ${DEPLIBS} |
||||
+dnssec-signzone-pkcs11@EXEEXT@: dnssec-signzone.@O@ ${OBJS} ${DEPLIBS} |
||||
export BASEOBJS="dnssec-signzone.@O@ ${OBJS}"; \ |
||||
${FINALBUILDCMD} |
||||
|
||||
@@ -91,19 +91,19 @@ dnssec-verify.@O@: dnssec-verify.c |
||||
${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -DVERSION=\"${VERSION}\" \ |
||||
-c ${srcdir}/dnssec-verify.c |
||||
|
||||
-dnssec-verify@EXEEXT@: dnssec-verify.@O@ ${OBJS} ${DEPLIBS} |
||||
+dnssec-verify-pkcs11@EXEEXT@: dnssec-verify.@O@ ${OBJS} ${DEPLIBS} |
||||
export BASEOBJS="dnssec-verify.@O@ ${OBJS}"; \ |
||||
${FINALBUILDCMD} |
||||
|
||||
-dnssec-revoke@EXEEXT@: dnssec-revoke.@O@ ${OBJS} ${DEPLIBS} |
||||
+dnssec-revoke-pkcs11@EXEEXT@: dnssec-revoke.@O@ ${OBJS} ${DEPLIBS} |
||||
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \ |
||||
dnssec-revoke.@O@ ${OBJS} ${LIBS} |
||||
|
||||
-dnssec-settime@EXEEXT@: dnssec-settime.@O@ ${OBJS} ${DEPLIBS} |
||||
+dnssec-settime-pkcs11@EXEEXT@: dnssec-settime.@O@ ${OBJS} ${DEPLIBS} |
||||
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \ |
||||
dnssec-settime.@O@ ${OBJS} ${LIBS} |
||||
|
||||
-dnssec-importkey@EXEEXT@: dnssec-importkey.@O@ ${OBJS} ${DEPLIBS} |
||||
+dnssec-importkey-pkcs11@EXEEXT@: dnssec-importkey.@O@ ${OBJS} ${DEPLIBS} |
||||
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \ |
||||
dnssec-importkey.@O@ ${OBJS} ${LIBS} |
||||
|
||||
@@ -114,11 +114,9 @@ docclean manclean maintainer-clean:: |
||||
|
||||
installdirs: |
||||
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir} |
||||
- $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8 |
||||
|
||||
install:: ${TARGETS} installdirs |
||||
for t in ${TARGETS}; do ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} $$t ${DESTDIR}${sbindir}; done |
||||
- for m in ${MANPAGES}; do ${INSTALL_DATA} ${srcdir}/$$m ${DESTDIR}${mandir}/man8; done |
||||
|
||||
clean distclean:: |
||||
rm -f ${TARGETS} |
||||
diff --git a/bin/dnssec/Makefile.in b/bin/dnssec/Makefile.in |
||||
index 64e1846..cfb5628 100644 |
||||
--- a/bin/dnssec/Makefile.in |
||||
+++ b/bin/dnssec/Makefile.in |
||||
@@ -25,7 +25,7 @@ top_srcdir = @top_srcdir@ |
||||
|
||||
CINCLUDES = ${DNS_INCLUDES} ${ISC_INCLUDES} |
||||
|
||||
-CDEFINES = -DVERSION=\"${VERSION}\" @USE_PKCS11@ @PKCS11_ENGINE@ \ |
||||
+CDEFINES = -DVERSION=\"${VERSION}\" \ |
||||
@CRYPTO@ -DPK11_LIB_LOCATION=\"@PKCS11_PROVIDER@\" |
||||
CWARNINGS = |
||||
|
||||
diff --git a/bin/named-pkcs11/Makefile.in b/bin/named-pkcs11/Makefile.in |
||||
index 8b9e87a..5b7d939 100644 |
||||
--- a/bin/named-pkcs11/Makefile.in |
||||
+++ b/bin/named-pkcs11/Makefile.in |
||||
@@ -45,26 +45,26 @@ DLZDRIVER_INCLUDES = @DLZ_DRIVER_INCLUDES@ |
||||
DLZDRIVER_LIBS = @DLZ_DRIVER_LIBS@ |
||||
|
||||
CINCLUDES = -I${srcdir}/include -I${srcdir}/unix/include -I. \ |
||||
- ${LWRES_INCLUDES} ${DNS_INCLUDES} ${BIND9_INCLUDES} \ |
||||
- ${ISCCFG_INCLUDES} ${ISCCC_INCLUDES} ${ISC_INCLUDES} \ |
||||
+ ${LWRES_INCLUDES} ${DNS_PKCS11_INCLUDES} ${BIND9_INCLUDES} \ |
||||
+ ${ISCCFG_INCLUDES} ${ISCCC_INCLUDES} ${ISC_PKCS11_INCLUDES} \ |
||||
${DLZDRIVER_INCLUDES} ${DBDRIVER_INCLUDES} @DST_OPENSSL_INC@ |
||||
|
||||
-CDEFINES = @CONTRIB_DLZ@ @USE_PKCS11@ @PKCS11_ENGINE@ @CRYPTO@ |
||||
+CDEFINES = @USE_PKCS11@ @PKCS11_ENGINE@ @CRYPTO_PK11@ |
||||
|
||||
CWARNINGS = |
||||
|
||||
-DNSLIBS = ../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@ |
||||
+DNSLIBS = ../../lib/dns-pkcs11/libdns-pkcs11.@A@ @DNS_CRYPTO_LIBS@ |
||||
ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@ |
||||
ISCCCLIBS = ../../lib/isccc/libisccc.@A@ |
||||
-ISCLIBS = ../../lib/isc/libisc.@A@ |
||||
+ISCLIBS = ../../lib/isc-pkcs11/libisc-pkcs11.@A@ |
||||
ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@ |
||||
LWRESLIBS = ../../lib/lwres/liblwres.@A@ |
||||
BIND9LIBS = ../../lib/bind9/libbind9.@A@ |
||||
|
||||
-DNSDEPLIBS = ../../lib/dns/libdns.@A@ |
||||
+DNSDEPLIBS = ../../lib/dns-pkcs11/libdns-pkcs11.@A@ |
||||
ISCCFGDEPLIBS = ../../lib/isccfg/libisccfg.@A@ |
||||
ISCCCDEPLIBS = ../../lib/isccc/libisccc.@A@ |
||||
-ISCDEPLIBS = ../../lib/isc/libisc.@A@ |
||||
+ISCDEPLIBS = ../../lib/isc-pkcs11/libisc-pkcs11.@A@ |
||||
LWRESDEPLIBS = ../../lib/lwres/liblwres.@A@ |
||||
BIND9DEPLIBS = ../../lib/bind9/libbind9.@A@ |
||||
|
||||
@@ -73,15 +73,15 @@ DEPLIBS = ${LWRESDEPLIBS} ${DNSDEPLIBS} ${BIND9DEPLIBS} \ |
||||
|
||||
LIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \ |
||||
${ISCCFGLIBS} ${ISCCCLIBS} ${ISCLIBS} \ |
||||
- ${DLZDRIVER_LIBS} ${DBDRIVER_LIBS} @LIBS@ |
||||
+ @LIBS@ |
||||
|
||||
NOSYMLIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \ |
||||
${ISCCFGLIBS} ${ISCCCLIBS} ${ISCNOSYMLIBS} \ |
||||
- ${DLZDRIVER_LIBS} ${DBDRIVER_LIBS} @LIBS@ |
||||
+ @LIBS@ |
||||
|
||||
SUBDIRS = unix |
||||
|
||||
-TARGETS = named@EXEEXT@ lwresd@EXEEXT@ |
||||
+TARGETS = named-pkcs11@EXEEXT@ |
||||
|
||||
GEOIPLINKOBJS = geoip.@O@ |
||||
|
||||
@@ -92,8 +92,7 @@ OBJS = builtin.@O@ client.@O@ config.@O@ control.@O@ \ |
||||
tkeyconf.@O@ tsigconf.@O@ update.@O@ xfrout.@O@ \ |
||||
zoneconf.@O@ \ |
||||
lwaddr.@O@ lwresd.@O@ lwdclient.@O@ lwderror.@O@ lwdgabn.@O@ \ |
||||
- lwdgnba.@O@ lwdgrbn.@O@ lwdnoop.@O@ lwsearch.@O@ \ |
||||
- ${DLZDRIVER_OBJS} ${DBDRIVER_OBJS} |
||||
+ lwdgnba.@O@ lwdgrbn.@O@ lwdnoop.@O@ lwsearch.@O@ |
||||
|
||||
UOBJS = unix/os.@O@ unix/dlz_dlopen_driver.@O@ |
||||
|
||||
@@ -108,8 +107,7 @@ SRCS = builtin.c client.c config.c control.c \ |
||||
tkeyconf.c tsigconf.c update.c xfrout.c \ |
||||
zoneconf.c \ |
||||
lwaddr.c lwresd.c lwdclient.c lwderror.c lwdgabn.c \ |
||||
- lwdgnba.c lwdgrbn.c lwdnoop.c lwsearch.c \ |
||||
- ${DLZDRIVER_SRCS} ${DBDRIVER_SRCS} |
||||
+ lwdgnba.c lwdgrbn.c lwdnoop.c lwsearch.c |
||||
|
||||
MANPAGES = named.8 lwresd.8 named.conf.5 |
||||
|
||||
@@ -145,7 +143,7 @@ config.@O@: config.c bind.keys.h |
||||
-DNS_SYSCONFDIR=\"${sysconfdir}\" \ |
||||
-c ${srcdir}/config.c |
||||
|
||||
-named@EXEEXT@: ${OBJS} ${UOBJS} ${DEPLIBS} |
||||
+named-pkcs11@EXEEXT@: ${OBJS} ${UOBJS} ${DEPLIBS} |
||||
export MAKE_SYMTABLE="yes"; \ |
||||
export BASEOBJS="${OBJS} ${UOBJS}"; \ |
||||
${FINALBUILDCMD} |
||||
@@ -176,15 +174,9 @@ statschannel.@O@: bind9.xsl.h bind9.ver3.xsl.h |
||||
|
||||
installdirs: |
||||
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir} |
||||
- $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man5 |
||||
- $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8 |
||||
- |
||||
-install:: named@EXEEXT@ lwresd@EXEEXT@ installdirs |
||||
- ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named@EXEEXT@ ${DESTDIR}${sbindir} |
||||
- (cd ${DESTDIR}${sbindir}; rm -f lwresd@EXEEXT@; @LN@ named@EXEEXT@ lwresd@EXEEXT@) |
||||
- ${INSTALL_DATA} ${srcdir}/named.8 ${DESTDIR}${mandir}/man8 |
||||
- ${INSTALL_DATA} ${srcdir}/lwresd.8 ${DESTDIR}${mandir}/man8 |
||||
- ${INSTALL_DATA} ${srcdir}/named.conf.5 ${DESTDIR}${mandir}/man5 |
||||
+ |
||||
+install:: named-pkcs11@EXEEXT@ installdirs |
||||
+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named-pkcs11@EXEEXT@ ${DESTDIR}${sbindir} |
||||
|
||||
@DLZ_DRIVER_RULES@ |
||||
|
||||
diff --git a/bin/named/Makefile.in b/bin/named/Makefile.in |
||||
index 8b9e87a..5ba3f56 100644 |
||||
--- a/bin/named/Makefile.in |
||||
+++ b/bin/named/Makefile.in |
||||
@@ -49,7 +49,7 @@ CINCLUDES = -I${srcdir}/include -I${srcdir}/unix/include -I. \ |
||||
${ISCCFG_INCLUDES} ${ISCCC_INCLUDES} ${ISC_INCLUDES} \ |
||||
${DLZDRIVER_INCLUDES} ${DBDRIVER_INCLUDES} @DST_OPENSSL_INC@ |
||||
|
||||
-CDEFINES = @CONTRIB_DLZ@ @USE_PKCS11@ @PKCS11_ENGINE@ @CRYPTO@ |
||||
+CDEFINES = @CONTRIB_DLZ@ @CRYPTO@ |
||||
|
||||
CWARNINGS = |
||||
|
||||
diff --git a/bin/pkcs11/Makefile.in b/bin/pkcs11/Makefile.in |
||||
index 15d3fb5..32cc753 100644 |
||||
--- a/bin/pkcs11/Makefile.in |
||||
+++ b/bin/pkcs11/Makefile.in |
||||
@@ -20,13 +20,13 @@ top_srcdir = @top_srcdir@ |
||||
|
||||
@BIND9_MAKE_INCLUDES@ |
||||
|
||||
-CINCLUDES = ${ISC_INCLUDES} |
||||
+CINCLUDES = ${ISC_PKCS11_INCLUDES} |
||||
|
||||
CDEFINES = |
||||
|
||||
-ISCLIBS = ../../lib/isc/libisc.@A@ |
||||
+ISCLIBS = ../../lib/isc-pkcs11/libisc-pkcs11.@A@ |
||||
|
||||
-ISCDEPLIBS = ../../lib/isc/libisc.@A@ |
||||
+ISCDEPLIBS = ../../lib/isc-pkcs11/libisc-pkcs11.@A@ |
||||
|
||||
DEPLIBS = ${ISCDEPLIBS} |
||||
|
||||
diff --git a/configure.in b/configure.in |
||||
index 5c79d6d..6c08de9 100644 |
||||
--- a/configure.in |
||||
+++ b/configure.in |
||||
@@ -659,10 +659,10 @@ AC_ARG_WITH(pkcs11, |
||||
openssldirs="/usr /usr/local /usr/local/ssl /usr/pkg /usr/sfw" |
||||
if test "$use_openssl" = "auto" |
||||
then |
||||
- if test "$want_native_pkcs11" = "yes" |
||||
- then |
||||
- use_openssl="native_pkcs11" |
||||
- else |
||||
+# if test "$want_native_pkcs11" = "yes" |
||||
+# then |
||||
+# use_openssl="native_pkcs11" |
||||
+# else |
||||
for d in $openssldirs |
||||
do |
||||
if test -f $d/include/openssl/opensslv.h |
||||
@@ -671,7 +671,7 @@ then |
||||
break |
||||
fi |
||||
done |
||||
- fi |
||||
+# fi |
||||
fi |
||||
OPENSSL_ECDSA="" |
||||
OPENSSL_GOST="" |
||||
@@ -730,11 +730,11 @@ case "$use_openssl" in |
||||
If you don't want OpenSSL, use --without-openssl]) |
||||
;; |
||||
*) |
||||
- if test "$want_native_pkcs11" = "yes" |
||||
- then |
||||
- AC_MSG_RESULT() |
||||
- AC_MSG_ERROR([OpenSSL and native PKCS11 cannot be used together.]) |
||||
- fi |
||||
+# if test "$want_native_pkcs11" = "yes" |
||||
+# then |
||||
+# AC_MSG_RESULT() |
||||
+# AC_MSG_ERROR([OpenSSL and native PKCS11 cannot be used together.]) |
||||
+# fi |
||||
if test "$use_openssl" = "yes" |
||||
then |
||||
# User did not specify a path - guess it |
||||
@@ -1014,6 +1014,7 @@ AC_SUBST(OPENSSL_ECDSA) |
||||
AC_SUBST(OPENSSL_GOST) |
||||
|
||||
DNS_CRYPTO_LIBS="$DNS_CRYPTO_LIBS $DNS_OPENSSL_LIBS" |
||||
+DNS_CRYPTO_PK11_LIBS="$DNS_CRYPTO_LIBS" |
||||
|
||||
# |
||||
# Use OpenSSL for hash functions |
||||
@@ -1195,7 +1196,7 @@ case "$use_pkcs11" in |
||||
esac |
||||
AC_SUBST(PKCS11_PROVIDER) |
||||
|
||||
- |
||||
+CRYPTO_PK11="" |
||||
PKCS11_ECDSA="" |
||||
PKCS11_GOST="" |
||||
AC_MSG_CHECKING(for native PKCS11) |
||||
@@ -1203,7 +1204,7 @@ AC_MSG_CHECKING(for native PKCS11) |
||||
case "$want_native_pkcs11" in |
||||
yes) |
||||
AC_MSG_RESULT(using native PKCS11 crypto) |
||||
- CRYPTO="-DPKCS11CRYPTO" |
||||
+ CRYPTO_PK11="-DPKCS11CRYPTO" |
||||
PKCS11LINKOBJS='${PKCS11LINKOBJS}' |
||||
PKCS11LINKSRCS='${PKCS11LINKSRCS}' |
||||
PKCS11_TEST=pkcs11 |
||||
@@ -1240,6 +1241,7 @@ esac |
||||
AC_SUBST(PKCS11LINKOBJS) |
||||
AC_SUBST(PKCS11LINKSRCS) |
||||
AC_SUBST(CRYPTO) |
||||
+AC_SUBST(CRYPTO_PK11) |
||||
AC_SUBST(PKCS11_ECDSA) |
||||
AC_SUBST(PKCS11_GOST) |
||||
AC_SUBST(PKCS11_TEST) |
||||
@@ -1531,12 +1533,13 @@ AC_SUBST(USE_GSSAPI) |
||||
AC_SUBST(DST_GSSAPI_INC) |
||||
AC_SUBST(DNS_GSSAPI_LIBS) |
||||
DNS_CRYPTO_LIBS="$DNS_GSSAPI_LIBS $DNS_CRYPTO_LIBS" |
||||
- |
||||
+DNS_CRYPTO_PK11_LIBS="$DNS_GSSAPI_LIBS $DNS_CRYPTO_PK11_LIBS" |
||||
# |
||||
# Applications linking with libdns also need to link with these libraries. |
||||
# |
||||
|
||||
AC_SUBST(DNS_CRYPTO_LIBS) |
||||
+AC_SUBST(DNS_CRYPTO_PK11_LIBS) |
||||
|
||||
# |
||||
# was --with-randomdev specified? |
||||
@@ -4014,7 +4017,10 @@ AC_CONFIG_FILES([ |
||||
bin/confgen/unix/Makefile |
||||
bin/dig/Makefile |
||||
bin/dnssec/Makefile |
||||
+ bin/dnssec-pkcs11/Makefile |
||||
bin/named/Makefile |
||||
+ bin/named-pkcs11/Makefile |
||||
+ bin/named-pkcs11/unix/Makefile |
||||
bin/named/unix/Makefile |
||||
bin/nsupdate/Makefile |
||||
bin/pkcs11/Makefile |
||||
@@ -4097,11 +4103,19 @@ AC_CONFIG_FILES([ |
||||
lib/dns/include/dns/Makefile |
||||
lib/dns/include/dst/Makefile |
||||
lib/dns/tests/Makefile |
||||
+ lib/dns-pkcs11/Makefile |
||||
+ lib/dns-pkcs11/include/Makefile |
||||
+ lib/dns-pkcs11/include/dns/Makefile |
||||
+ lib/dns-pkcs11/include/dst/Makefile |
||||
lib/export/Makefile |
||||
lib/export/dns/Makefile |
||||
lib/export/dns/include/Makefile |
||||
lib/export/dns/include/dns/Makefile |
||||
lib/export/dns/include/dst/Makefile |
||||
+ lib/export/dns-pkcs11/Makefile |
||||
+ lib/export/dns-pkcs11/include/Makefile |
||||
+ lib/export/dns-pkcs11/include/dns/Makefile |
||||
+ lib/export/dns-pkcs11/include/dst/Makefile |
||||
lib/export/irs/Makefile |
||||
lib/export/irs/include/Makefile |
||||
lib/export/irs/include/irs/Makefile |
||||
@@ -4115,6 +4129,16 @@ AC_CONFIG_FILES([ |
||||
lib/export/isc/unix/Makefile |
||||
lib/export/isc/unix/include/Makefile |
||||
lib/export/isc/unix/include/isc/Makefile |
||||
+ lib/export/isc-pkcs11/$thread_dir/Makefile |
||||
+ lib/export/isc-pkcs11/$thread_dir/include/Makefile |
||||
+ lib/export/isc-pkcs11/$thread_dir/include/isc/Makefile |
||||
+ lib/export/isc-pkcs11/Makefile |
||||
+ lib/export/isc-pkcs11/include/Makefile |
||||
+ lib/export/isc-pkcs11/include/isc/Makefile |
||||
+ lib/export/isc-pkcs11/nls/Makefile |
||||
+ lib/export/isc-pkcs11/unix/Makefile |
||||
+ lib/export/isc-pkcs11/unix/include/Makefile |
||||
+ lib/export/isc-pkcs11/unix/include/isc/Makefile |
||||
lib/export/isccfg/Makefile |
||||
lib/export/isccfg/include/Makefile |
||||
lib/export/isccfg/include/isccfg/Makefile |
||||
@@ -4143,6 +4167,24 @@ AC_CONFIG_FILES([ |
||||
lib/isc/unix/include/Makefile |
||||
lib/isc/unix/include/isc/Makefile |
||||
lib/isc/unix/include/pkcs11/Makefile |
||||
+ lib/isc-pkcs11/$arch/Makefile |
||||
+ lib/isc-pkcs11/$arch/include/Makefile |
||||
+ lib/isc-pkcs11/$arch/include/isc/Makefile |
||||
+ lib/isc-pkcs11/$thread_dir/Makefile |
||||
+ lib/isc-pkcs11/$thread_dir/include/Makefile |
||||
+ lib/isc-pkcs11/$thread_dir/include/isc/Makefile |
||||
+ lib/isc-pkcs11/Makefile |
||||
+ lib/isc-pkcs11/include/Makefile |
||||
+ lib/isc-pkcs11/include/isc/Makefile |
||||
+ lib/isc-pkcs11/include/isc/platform.h |
||||
+ lib/isc-pkcs11/include/pk11/Makefile |
||||
+ lib/isc-pkcs11/include/pkcs11/Makefile |
||||
+ lib/isc-pkcs11/tests/Makefile |
||||
+ lib/isc-pkcs11/nls/Makefile |
||||
+ lib/isc-pkcs11/unix/Makefile |
||||
+ lib/isc-pkcs11/unix/include/Makefile |
||||
+ lib/isc-pkcs11/unix/include/isc/Makefile |
||||
+ lib/isc-pkcs11/unix/include/pkcs11/Makefile |
||||
lib/isccc/Makefile |
||||
lib/isccc/include/Makefile |
||||
lib/isccc/include/isccc/Makefile |
||||
diff --git a/lib/Makefile.in b/lib/Makefile.in |
||||
index 8dc1d38..8e48d5e 100644 |
||||
--- a/lib/Makefile.in |
||||
+++ b/lib/Makefile.in |
||||
@@ -23,7 +23,7 @@ top_srcdir = @top_srcdir@ |
||||
# Attempt to disable parallel processing. |
||||
.NOTPARALLEL: |
||||
.NO_PARALLEL: |
||||
-SUBDIRS = isc isccc dns isccfg bind9 lwres tests |
||||
+SUBDIRS = isc isccc dns isccfg bind9 lwres tests isc-pkcs11 dns-pkcs11 |
||||
TARGETS = |
||||
|
||||
@BIND9_MAKE_RULES@ |
||||
diff --git a/lib/dns-pkcs11/Makefile.in b/lib/dns-pkcs11/Makefile.in |
||||
index ae316c5..1a79768 100644 |
||||
--- a/lib/dns-pkcs11/Makefile.in |
||||
+++ b/lib/dns-pkcs11/Makefile.in |
||||
@@ -27,16 +27,16 @@ top_srcdir = @top_srcdir@ |
||||
|
||||
USE_ISC_SPNEGO = @USE_ISC_SPNEGO@ |
||||
|
||||
-CINCLUDES = -I. -I${top_srcdir}/lib/dns -Iinclude ${DNS_INCLUDES} ${ISC_INCLUDES} \ |
||||
+CINCLUDES = -I. -I${top_srcdir}/lib/dns-pkcs11 -Iinclude ${DNS_PKCS11_INCLUDES} ${ISC_PKCS11_INCLUDES} \ |
||||
@DST_OPENSSL_INC@ @DST_GSSAPI_INC@ |
||||
|
||||
-CDEFINES = -DUSE_MD5 @CRYPTO@ @USE_GSSAPI@ ${USE_ISC_SPNEGO} |
||||
+CDEFINES = -DUSE_MD5 @CRYPTO_PK11@ @USE_GSSAPI@ ${USE_ISC_SPNEGO} |
||||
|
||||
CWARNINGS = |
||||
|
||||
-ISCLIBS = ../../lib/isc/libisc.@A@ |
||||
+ISCLIBS = ../../lib/isc-pkcs11/libisc-pkcs11.@A@ |
||||
|
||||
-ISCDEPLIBS = ../../lib/isc/libisc.@A@ |
||||
+ISCDEPLIBS = ../../lib/isc-pkcs11/libisc-pkcs11.@A@ |
||||
|
||||
LIBS = @LIBS@ |
||||
|
||||
@@ -131,24 +131,24 @@ version.@O@: version.c |
||||
-DLIBAGE=${LIBAGE} \ |
||||
-c ${srcdir}/version.c |
||||
|
||||
-libdns.@SA@: ${OBJS} |
||||
+libdns-pkcs11.@SA@: ${OBJS} |
||||
${AR} ${ARFLAGS} $@ ${OBJS} |
||||
${RANLIB} $@ |
||||
|
||||
-libdns.la: ${OBJS} |
||||
+libdns-pkcs11.la: ${OBJS} |
||||
${LIBTOOL_MODE_LINK} \ |
||||
- ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libdns.la -rpath ${libdir} \ |
||||
+ ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libdns-pkcs11.la -rpath ${libdir} \ |
||||
-version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \ |
||||
${OBJS} ${ISCLIBS} @DNS_CRYPTO_LIBS@ ${LIBS} |
||||
|
||||
-timestamp: libdns.@A@ |
||||
+timestamp: libdns-pkcs11.@A@ |
||||
touch timestamp |
||||
|
||||
installdirs: |
||||
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${libdir} |
||||
|
||||
install:: timestamp installdirs |
||||
- ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} libdns.@A@ ${DESTDIR}${libdir} |
||||
+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} libdns-pkcs11.@A@ ${DESTDIR}${libdir} |
||||
|
||||
clean distclean:: |
||||
rm -f libdns.@A@ timestamp |
||||
@@ -181,7 +181,7 @@ code.h: gen |
||||
./gen -s ${srcdir} > code.h |
||||
|
||||
gen: gen.c |
||||
- ${BUILD_CC} ${BUILD_CFLAGS} -I${top_srcdir}/lib/isc/include \ |
||||
+ ${BUILD_CC} ${BUILD_CFLAGS} -I${top_srcdir}/lib/isc-pkcs11/include \ |
||||
${BUILD_CPPFLAGS} ${BUILD_LDFLAGS} -o $@ ${srcdir}/gen.c ${BUILD_LIBS} |
||||
|
||||
rbtdb64.@O@: rbtdb.c |
||||
diff --git a/lib/export/Makefile.in b/lib/export/Makefile.in |
||||
index 1fd7216..a8a1342 100644 |
||||
--- a/lib/export/Makefile.in |
||||
+++ b/lib/export/Makefile.in |
||||
@@ -21,7 +21,7 @@ top_srcdir = @top_srcdir@ |
||||
# Attempt to disable parallel processing. |
||||
.NOTPARALLEL: |
||||
.NO_PARALLEL: |
||||
-SUBDIRS = isc dns isccfg irs samples |
||||
+SUBDIRS = isc dns isccfg irs samples isc-pkcs11 dns-pkcs11 |
||||
TARGETS = |
||||
|
||||
@BIND9_MAKE_RULES@ |
||||
diff --git a/lib/export/dns-pkcs11/Makefile.in b/lib/export/dns-pkcs11/Makefile.in |
||||
index 887acb9..0f8abd3 100644 |
||||
--- a/lib/export/dns-pkcs11/Makefile.in |
||||
+++ b/lib/export/dns-pkcs11/Makefile.in |
||||
@@ -15,7 +15,7 @@ |
||||
# $Id$ |
||||
|
||||
top_srcdir = @top_srcdir@ |
||||
-srcdir = @top_srcdir@/lib/dns |
||||
+srcdir = @top_srcdir@/lib/dns-pkcs11 |
||||
export_srcdir = @top_srcdir@/lib/export |
||||
|
||||
# Attempt to disable parallel processing. |
||||
@@ -28,16 +28,16 @@ export_srcdir = @top_srcdir@/lib/export |
||||
|
||||
@BIND9_MAKE_INCLUDES@ |
||||
|
||||
-CINCLUDES = -I. -I${top_srcdir}/lib/dns -Iinclude ${DNS_INCLUDES} -I${export_srcdir}/isc/include \ |
||||
- ${ISC_INCLUDES} @DST_OPENSSL_INC@ @DST_GSSAPI_INC@ |
||||
+CINCLUDES = -I. -I${top_srcdir}/lib/dns-pkcs11 -Iinclude ${DNS_PKCS11_INCLUDES} -I${export_srcdir}/isc-pkcs11/include \ |
||||
+ ${ISC_PKCS11_INCLUDES} @DST_OPENSSL_INC@ @DST_GSSAPI_INC@ |
||||
|
||||
-CDEFINES = -DUSE_MD5 @CRYPTO@ @USE_GSSAPI@ |
||||
+CDEFINES = -DUSE_MD5 @CRYPTO_PK11@ @USE_GSSAPI@ |
||||
|
||||
CWARNINGS = |
||||
|
||||
-ISCLIBS = ../isc/libisc-export.@A@ |
||||
+ISCLIBS = ../isc-pkcs11/libisc-pkcs11-export.@A@ |
||||
|
||||
-ISCDEPLIBS = ../isc/libisc-export.@A@ |
||||
+ISCDEPLIBS = ../isc-pkcs11/libisc-pkcs11-export.@A@ |
||||
|
||||
LIBS = @LIBS@ |
||||
|
||||
@@ -118,29 +118,29 @@ version.@O@: ${srcdir}/version.c |
||||
-DLIBAGE=${LIBAGE} \ |
||||
-c ${srcdir}/version.c |
||||
|
||||
-libdns-export.@SA@: ${OBJS} |
||||
+libdns-pkcs11-export.@SA@: ${OBJS} |
||||
${AR} ${ARFLAGS} $@ ${OBJS} |
||||
${RANLIB} $@ |
||||
|
||||
-libdns-export.la: ${OBJS} |
||||
+libdns-pkcs11-export.la: ${OBJS} |
||||
${LIBTOOL_MODE_LINK} \ |
||||
- ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libdns-export.la \ |
||||
+ ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libdns-pkcs11-export.la \ |
||||
-rpath ${export_libdir} \ |
||||
-version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \ |
||||
- ${OBJS} ${ISCLIBS} @DNS_CRYPTO_LIBS@ ${LIBS} |
||||
+ ${OBJS} ${ISCLIBS} @DNS_CRYPTO_PK11_LIBS@ ${LIBS} |
||||
|
||||
-timestamp: libdns-export.@A@ |
||||
+timestamp: libdns-pkcs11-export.@A@ |
||||
touch timestamp |
||||
|
||||
installdirs: |
||||
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${export_libdir} |
||||
|
||||
install:: timestamp installdirs |
||||
- ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} libdns-export.@A@ \ |
||||
+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} libdns-pkcs11-export.@A@ \ |
||||
${DESTDIR}${export_libdir}/ |
||||
|
||||
clean distclean:: |
||||
- rm -f libdns-export.@A@ timestamp |
||||
+ rm -f libdns-pkcs11-export.@A@ timestamp |
||||
rm -f gen code.h include/dns/enumtype.h include/dns/enumclass.h |
||||
rm -f include/dns/rdatastruct.h |
||||
|
||||
diff --git a/lib/export/isc-pkcs11/Makefile.in b/lib/export/isc-pkcs11/Makefile.in |
||||
index 4f4a9f7..f8224e7 100644 |
||||
--- a/lib/export/isc-pkcs11/Makefile.in |
||||
+++ b/lib/export/isc-pkcs11/Makefile.in |
||||
@@ -15,7 +15,7 @@ |
||||
# $Id: Makefile.in,v 1.8 2010/06/09 23:50:58 tbox Exp $ |
||||
|
||||
top_srcdir = @top_srcdir@ |
||||
-srcdir = @top_srcdir@/lib/isc |
||||
+srcdir = @top_srcdir@/lib/isc-pkcs11 |
||||
export_srcdir = @top_srcdir@/lib/export |
||||
|
||||
@BIND9_VERSION@ |
||||
@@ -25,9 +25,9 @@ export_srcdir = @top_srcdir@/lib/export |
||||
CINCLUDES = -I${srcdir}/unix/include \ |
||||
-I${srcdir}/@ISC_THREAD_DIR@/include \ |
||||
-I${srcdir}/@ISC_ARCH_DIR@/include \ |
||||
- -I${export_srcdir}/isc/include -I${srcdir}/include \ |
||||
+ -I${export_srcdir}/isc-pkcs11/include -I${srcdir}/include \ |
||||
@ISC_OPENSSL_INC@ |
||||
-CDEFINES = @CRYPTO@ -DUSE_APPIMPREGISTER -DUSE_MEMIMPREGISTER \ |
||||
+CDEFINES = @CRYPTO_PK11@ -DUSE_APPIMPREGISTER -DUSE_MEMIMPREGISTER \ |
||||
-DUSE_SOCKETIMPREGISTER -DUSE_TASKIMPREGISTER \ |
||||
-DUSE_TIMERIMPREGISTER |
||||
CWARNINGS = |
||||
@@ -119,26 +119,26 @@ version.@O@: ${srcdir}/version.c |
||||
-DLIBAGE=${LIBAGE} \ |
||||
-c ${srcdir}/version.c |
||||
|
||||
-libisc-export.@SA@: ${OBJS} |
||||
+libisc-pkcs11-export.@SA@: ${OBJS} |
||||
${AR} ${ARFLAGS} $@ ${OBJS} |
||||
${RANLIB} $@ |
||||
|
||||
-libisc-export.la: ${OBJS} |
||||
+libisc-pkcs11-export.la: ${OBJS} |
||||
${LIBTOOL_MODE_LINK} \ |
||||
- ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libisc-export.la \ |
||||
+ ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libisc-pkcs11-export.la \ |
||||
-rpath ${export_libdir} \ |
||||
-version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \ |
||||
${OBJS} ${LIBS} |
||||
|
||||
-timestamp: libisc-export.@A@ |
||||
+timestamp: libisc-pkcs11-export.@A@ |
||||
touch timestamp |
||||
|
||||
installdirs: |
||||
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${export_libdir} |
||||
|
||||
install:: timestamp installdirs |
||||
- ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} libisc-export.@A@ \ |
||||
+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} libisc-pkcs11-export.@A@ \ |
||||
${DESTDIR}${export_libdir} |
||||
|
||||
clean distclean:: |
||||
- rm -f libisc-export.@A@ libisc-export.la timestamp |
||||
+ rm -f libisc-pkcs11-export.@A@ libisc-pkcs11-export.la timestamp |
||||
diff --git a/lib/isc-pkcs11/Makefile.in b/lib/isc-pkcs11/Makefile.in |
||||
index df62ec9..d9f0107 100644 |
||||
--- a/lib/isc-pkcs11/Makefile.in |
||||
+++ b/lib/isc-pkcs11/Makefile.in |
||||
@@ -31,8 +31,8 @@ CINCLUDES = -I${srcdir}/unix/include \ |
||||
-I${srcdir}/@ISC_THREAD_DIR@/include \ |
||||
-I${srcdir}/@ISC_ARCH_DIR@/include \ |
||||
-I./include \ |
||||
- -I${srcdir}/include @ISC_OPENSSL_INC@ ${DNS_INCLUDES} |
||||
-CDEFINES = @CRYPTO@ -DPK11_LIB_LOCATION=\"${PROVIDER}\" |
||||
+ -I${srcdir}/include ${DNS_PKCS11_INCLUDES} |
||||
+CDEFINES = @CRYPTO_PK11@ -DPK11_LIB_LOCATION=\"${PROVIDER}\" |
||||
CWARNINGS = |
||||
|
||||
# Alphabetically |
||||
@@ -110,35 +110,35 @@ version.@O@: version.c |
||||
-DLIBAGE=${LIBAGE} \ |
||||
-c ${srcdir}/version.c |
||||
|
||||
-libisc.@SA@: ${OBJS} ${SYMTBLOBJS} |
||||
+libisc-pkcs11.@SA@: ${OBJS} ${SYMTBLOBJS} |
||||
${AR} ${ARFLAGS} $@ ${OBJS} ${SYMTBLOBJS} |
||||
${RANLIB} $@ |
||||
|
||||
-libisc-nosymtbl.@SA@: ${OBJS} |
||||
+libisc-pkcs11-nosymtbl.@SA@: ${OBJS} |
||||
${AR} ${ARFLAGS} $@ ${OBJS} |
||||
${RANLIB} $@ |
||||
|
||||
-libisc.la: ${OBJS} ${SYMTBLOBJS} |
||||
+libisc-pkcs11.la: ${OBJS} ${SYMTBLOBJS} |
||||
${LIBTOOL_MODE_LINK} \ |
||||
- ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libisc.la -rpath ${libdir} \ |
||||
+ ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libisc-pkcs11.la -rpath ${libdir} \ |
||||
-version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \ |
||||
${OBJS} ${SYMTBLOBJS} ${LIBS} |
||||
|
||||
-libisc-nosymtbl.la: ${OBJS} |
||||
+libisc-pkcs11-nosymtbl.la: ${OBJS} |
||||
${LIBTOOL_MODE_LINK} \ |
||||
- ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libisc-nosymtbl.la -rpath ${libdir} \ |
||||
+ ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libisc-pkcs11-nosymtbl.la -rpath ${libdir} \ |
||||
-version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \ |
||||
${OBJS} ${LIBS} |
||||
|
||||
-timestamp: libisc.@A@ libisc-nosymtbl.@A@ |
||||
+timestamp: libisc-pkcs11.@A@ libisc-pkcs11-nosymtbl.@A@ |
||||
touch timestamp |
||||
|
||||
installdirs: |
||||
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${libdir} |
||||
|
||||
install:: timestamp installdirs |
||||
- ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} libisc.@A@ ${DESTDIR}${libdir} |
||||
+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} libisc-pkcs11.@A@ ${DESTDIR}${libdir} |
||||
|
||||
clean distclean:: |
||||
- rm -f libisc.@A@ libisc-nosymtbl.@A@ libisc.la \ |
||||
- libisc-nosymtbl.la timestamp |
||||
+ rm -f libisc-pkcs11.@A@ libisc-pkcs11-nosymtbl.@A@ libisc-pkcs11.la \ |
||||
+ libisc-pkcs11-nosymtbl.la timestamp |
||||
diff --git a/make/includes.in b/make/includes.in |
||||
index f2f1b3f..639477c 100644 |
||||
--- a/make/includes.in |
||||
+++ b/make/includes.in |
||||
@@ -46,3 +46,13 @@ BIND9_INCLUDES = @BIND9_BIND9_BUILDINCLUDE@ \ |
||||
|
||||
TEST_INCLUDES = \ |
||||
-I${top_srcdir}/lib/tests/include |
||||
+ |
||||
+ISC_PKCS11_INCLUDES = @BIND9_ISC_BUILDINCLUDE@ \ |
||||
+ -I${top_srcdir}/lib/isc-pkcs11 \ |
||||
+ -I${top_srcdir}/lib/isc-pkcs11/include \ |
||||
+ -I${top_srcdir}/lib/isc-pkcs11/unix/include \ |
||||
+ -I${top_srcdir}/lib/isc-pkcs11/@ISC_THREAD_DIR@/include \ |
||||
+ -I${top_srcdir}/lib/isc-pkcs11/@ISC_ARCH_DIR@/include |
||||
+ |
||||
+DNS_PKCS11_INCLUDES = @BIND9_DNS_BUILDINCLUDE@ \ |
||||
+ -I${top_srcdir}/lib/dns-pkcs11/include |
File diff suppressed because it is too large
Load Diff
@ -0,0 +1,27 @@
@@ -0,0 +1,27 @@
|
||||
diff -up bind-9.9.4/contrib/dlz/config.dlz.in.libdb bind-9.9.4/contrib/dlz/config.dlz.in |
||||
--- bind-9.9.4/contrib/dlz/config.dlz.in.libdb 2014-01-06 13:24:24.669256364 +0100 |
||||
+++ bind-9.9.4/contrib/dlz/config.dlz.in 2014-01-06 13:26:29.861420493 +0100 |
||||
@@ -257,7 +257,7 @@ case "$use_dlz_bdb" in |
||||
# Check other locations for includes. |
||||
# Order is important (sigh). |
||||
|
||||
- bdb_incdirs="/ /db48/ /db47/ /db46/ /db45/ /db44/ /db43/ /db42/ /db41/ /db4/ /db/" |
||||
+ bdb_incdirs="/ /db48/ /db47/ /db46/ /db45/ /db44/ /db43/ /db42/ /db41/ /db4/ /libdb/ /db/" |
||||
for d in $bdb_incdirs |
||||
do |
||||
if test -f "$dd/include${d}db.h" |
||||
@@ -283,13 +283,7 @@ case "$use_dlz_bdb" in |
||||
do |
||||
if test -f "$dd/${target_lib}/lib${d}.so" |
||||
then |
||||
- if test "$dd" != "/usr" |
||||
- then |
||||
- dlz_bdb_libs="-L${dd}/${target_lib} " |
||||
- else |
||||
- dlz_bdb_libs="" |
||||
- fi |
||||
- dlz_bdb_libs="${dlz_bdb_libs}-l${d}" |
||||
+ dlz_bdb_libs="-L${dd}/${target_lib}/libdb -l${d}" |
||||
break |
||||
fi |
||||
done |
@ -0,0 +1,66 @@
@@ -0,0 +1,66 @@
|
||||
diff -up bind-9.9.3rc2/config.h.in.multlib-conflict bind-9.9.3rc2/config.h.in |
||||
--- bind-9.9.3rc2/config.h.in.multlib-conflict 2013-04-30 08:38:46.000000000 +0200 |
||||
+++ bind-9.9.3rc2/config.h.in 2013-05-13 12:10:22.514870894 +0200 |
||||
@@ -416,7 +416,7 @@ int sigwait(const unsigned int *set, int |
||||
#undef PORT_NONBLOCK |
||||
|
||||
/* The size of `void *', as computed by sizeof. */ |
||||
-#undef SIZEOF_VOID_P |
||||
+/* #undef SIZEOF_VOID_P */ |
||||
|
||||
/* Define to 1 if you have the ANSI C header files. */ |
||||
#undef STDC_HEADERS |
||||
diff -up bind-9.9.3rc2/configure.in.multlib-conflict bind-9.9.3rc2/configure.in |
||||
--- bind-9.9.3rc2/configure.in.multlib-conflict 2013-05-13 12:10:22.481870901 +0200 |
||||
+++ bind-9.9.3rc2/configure.in 2013-05-13 12:10:22.515870894 +0200 |
||||
@@ -2251,7 +2251,9 @@ int getnameinfo(const struct sockaddr *, |
||||
size_t, char *, size_t, int);], |
||||
[ return (0);], |
||||
[AC_MSG_RESULT(size_t for buflen; int for flags) |
||||
- AC_DEFINE(IRS_GETNAMEINFO_BUFLEN_T, size_t) |
||||
+ # Changed to solve multilib conflict on Fedora |
||||
+ #AC_DEFINE(IRS_GETNAMEINFO_BUFLEN_T, size_t) |
||||
+ AC_DEFINE(IRS_GETNAMEINFO_BUFLEN_T, socklen_t) |
||||
AC_DEFINE(IRS_GETNAMEINFO_FLAGS_T, int)], |
||||
[AC_MSG_RESULT(not match any subspecies; assume standard definition) |
||||
AC_DEFINE(IRS_GETNAMEINFO_BUFLEN_T, socklen_t) |
||||
diff -up bind-9.9.3rc2/isc-config.sh.in.multlib-conflict bind-9.9.3rc2/isc-config.sh.in |
||||
--- bind-9.9.3rc2/isc-config.sh.in.multlib-conflict 2013-04-30 08:38:46.000000000 +0200 |
||||
+++ bind-9.9.3rc2/isc-config.sh.in 2013-05-13 12:26:40.258698745 +0200 |
||||
@@ -21,7 +21,18 @@ prefix=@prefix@ |
||||
exec_prefix=@exec_prefix@ |
||||
exec_prefix_set= |
||||
includedir=@includedir@ |
||||
-libdir=@libdir@ |
||||
+arch=$(uname -m) |
||||
+ |
||||
+case $arch in |
||||
+ x86_64 | amd64 | sparc64 | s390x | ppc64) |
||||
+ libdir=/usr/lib64 |
||||
+ sec_libdir=/usr/lib |
||||
+ ;; |
||||
+ * ) |
||||
+ libdir=/usr/lib |
||||
+ sec_libdir=/usr/lib64 |
||||
+ ;; |
||||
+esac |
||||
|
||||
usage() |
||||
{ |
||||
@@ -133,6 +144,16 @@ if test x"$echo_libs" = x"true"; then |
||||
if test x"${exec_prefix_set}" = x"true"; then |
||||
includes="-L${exec_prefix}/lib" |
||||
else |
||||
+ if [ ! -x $libdir/libisc.so ] ; then |
||||
+ if [ ! -x $sec_libdir/libisc.so ] ; then |
||||
+ echo "Error: ISC libs not found in $libdir" |
||||
+ if [ -d $sec_libdir ] ; then |
||||
+ echo "Error: ISC libs not found in $sec_libdir" |
||||
+ fi |
||||
+ exit 1 |
||||
+ fi |
||||
+ libdir=$sec_libdir |
||||
+ fi |
||||
libs="-L${libdir}" |
||||
fi |
||||
if test x"$liblwres" = x"true" ; then |
@ -0,0 +1,12 @@
@@ -0,0 +1,12 @@
|
||||
diff -up bind-9.9.3/lib/dns/include/dns/Makefile.in.update bind-9.9.3/lib/dns/include/dns/Makefile.in |
||||
--- bind-9.9.3/lib/dns/include/dns/Makefile.in.update 2013-06-03 09:29:41.049197873 +0200 |
||||
+++ bind-9.9.3/lib/dns/include/dns/Makefile.in 2013-06-03 09:30:09.229213170 +0200 |
||||
@@ -30,7 +30,7 @@ HEADERS = acl.h adb.h byaddr.h cache.h c |
||||
rdata.h rdataclass.h rdatalist.h rdataset.h rdatasetiter.h \ |
||||
rdataslab.h rdatatype.h request.h resolver.h result.h \ |
||||
rootns.h rpz.h sdb.h sdlz.h secalg.h secproto.h soa.h ssu.h \ |
||||
- tcpmsg.h time.h tkey.h tsig.h ttl.h types.h \ |
||||
+ tcpmsg.h time.h tkey.h tsig.h ttl.h types.h update.h\ |
||||
validator.h version.h view.h xfrin.h zone.h zonekey.h zt.h \ |
||||
forward.h rrl.h |
||||
|
@ -0,0 +1,40 @@
@@ -0,0 +1,40 @@
|
||||
diff -up bind-9.5.0-P2/bin/dig/dighost.c.rh452060 bind-9.5.0-P2/bin/dig/dighost.c |
||||
--- bind-9.5.0-P2/bin/dig/dighost.c.rh452060 2008-12-01 22:30:01.000000000 +0100 |
||||
+++ bind-9.5.0-P2/bin/dig/dighost.c 2008-12-01 22:30:07.000000000 +0100 |
||||
@@ -1280,6 +1280,12 @@ clear_query(dig_query_t *query) { |
||||
|
||||
debug("clear_query(%p)", query); |
||||
|
||||
+ if (query->waiting_senddone) { |
||||
+ debug("send_done not yet called"); |
||||
+ query->pending_free = ISC_TRUE; |
||||
+ return; |
||||
+ } |
||||
+ |
||||
lookup = query->lookup; |
||||
|
||||
if (lookup->current_query == query) |
||||
@@ -1301,10 +1307,7 @@ clear_query(dig_query_t *query) { |
||||
isc_mempool_put(commctx, query->recvspace); |
||||
isc_buffer_invalidate(&query->recvbuf); |
||||
isc_buffer_invalidate(&query->lengthbuf); |
||||
- if (query->waiting_senddone) |
||||
- query->pending_free = ISC_TRUE; |
||||
- else |
||||
- isc_mem_free(mctx, query); |
||||
+ isc_mem_free(mctx, query); |
||||
} |
||||
|
||||
/*% |
||||
@@ -2175,9 +2178,9 @@ send_done(isc_task_t *_task, isc_event_t |
||||
isc_event_free(&event); |
||||
|
||||
if (query->pending_free) |
||||
- isc_mem_free(mctx, query); |
||||
+ clear_query(query); |
||||
|
||||
- check_if_done(); |
||||
+ check_next_lookup(l); |
||||
UNLOCK_LOOKUP; |
||||
} |
||||
|
@ -0,0 +1,23 @@
@@ -0,0 +1,23 @@
|
||||
diff -up bind-9.6.0b1/contrib/sdb/ldap/ldapdb.c.old-api bind-9.6.0b1/contrib/sdb/ldap/ldapdb.c |
||||
--- bind-9.6.0b1/contrib/sdb/ldap/ldapdb.c.old-api 2008-11-24 13:28:13.000000000 +0100 |
||||
+++ bind-9.6.0b1/contrib/sdb/ldap/ldapdb.c 2008-11-24 13:28:23.000000000 +0100 |
||||
@@ -25,6 +25,7 @@ |
||||
/* Using LDAPv3 by default, change this if you want v2 */ |
||||
#ifndef LDAPDB_LDAP_VERSION |
||||
#define LDAPDB_LDAP_VERSION 3 |
||||
+#define LDAP_DEPRECATED 1 |
||||
#endif |
||||
|
||||
#include <config.h> |
||||
diff -up bind-9.6.0b1/contrib/sdb/ldap/zone2ldap.c.old-api bind-9.6.0b1/contrib/sdb/ldap/zone2ldap.c |
||||
--- bind-9.6.0b1/contrib/sdb/ldap/zone2ldap.c.old-api 2008-11-24 13:29:05.000000000 +0100 |
||||
+++ bind-9.6.0b1/contrib/sdb/ldap/zone2ldap.c 2008-11-24 13:29:14.000000000 +0100 |
||||
@@ -13,6 +13,8 @@ |
||||
* ditched dNSDomain2 schema support. Version 0.3-ALPHA |
||||
*/ |
||||
|
||||
+#define LDAP_DEPRECATED 1 |
||||
+ |
||||
#include <errno.h> |
||||
#include <string.h> |
||||
#include <stdlib.h> |
@ -0,0 +1,13 @@
@@ -0,0 +1,13 @@
|
||||
diff --git a/lib/isc/unix/socket.c b/lib/isc/unix/socket.c |
||||
index 05eaeaa..82d0d16 100644 |
||||
--- a/lib/isc/unix/socket.c |
||||
+++ b/lib/isc/unix/socket.c |
||||
@@ -214,7 +214,7 @@ typedef enum { poll_idle, poll_active, poll_checking } pollstate_t; |
||||
*/ |
||||
#if defined(USE_KQUEUE) || defined(USE_EPOLL) || defined(USE_DEVPOLL) |
||||
#ifndef ISC_SOCKET_MAXEVENTS |
||||
-#define ISC_SOCKET_MAXEVENTS 64 |
||||
+#define ISC_SOCKET_MAXEVENTS 2048 |
||||
#endif |
||||
#endif |
||||
|
@ -0,0 +1,72 @@
@@ -0,0 +1,72 @@
|
||||
diff -up bind-9.7.0rc2/lib/bind9/Makefile.in.nonexec bind-9.7.0rc2/lib/bind9/Makefile.in |
||||
--- bind-9.7.0rc2/lib/bind9/Makefile.in.nonexec 2009-12-06 00:31:40.000000000 +0100 |
||||
+++ bind-9.7.0rc2/lib/bind9/Makefile.in 2010-01-28 12:13:33.406696161 +0100 |
||||
@@ -78,7 +78,7 @@ installdirs: |
||||
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${libdir} |
||||
|
||||
install:: timestamp installdirs |
||||
- ${LIBTOOL_MODE_INSTALL} ${INSTALL_DATA} libbind9.@A@ ${DESTDIR}${libdir} |
||||
+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} libbind9.@A@ ${DESTDIR}${libdir} |
||||
|
||||
clean distclean:: |
||||
rm -f libbind9.@A@ timestamp |
||||
diff -up bind-9.7.0rc2/lib/dns/Makefile.in.nonexec bind-9.7.0rc2/lib/dns/Makefile.in |
||||
--- bind-9.7.0rc2/lib/dns/Makefile.in.nonexec 2009-12-06 00:31:40.000000000 +0100 |
||||
+++ bind-9.7.0rc2/lib/dns/Makefile.in 2010-01-28 12:13:33.406696161 +0100 |
||||
@@ -131,7 +131,7 @@ installdirs: |
||||
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${libdir} |
||||
|
||||
install:: timestamp installdirs |
||||
- ${LIBTOOL_MODE_INSTALL} ${INSTALL_DATA} libdns.@A@ ${DESTDIR}${libdir} |
||||
+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} libdns.@A@ ${DESTDIR}${libdir} |
||||
|
||||
clean distclean:: |
||||
rm -f libdns.@A@ timestamp |
||||
diff -up bind-9.7.0rc2/lib/isccc/Makefile.in.nonexec bind-9.7.0rc2/lib/isccc/Makefile.in |
||||
--- bind-9.7.0rc2/lib/isccc/Makefile.in.nonexec 2009-12-06 00:31:41.000000000 +0100 |
||||
+++ bind-9.7.0rc2/lib/isccc/Makefile.in 2010-01-28 12:13:33.406696161 +0100 |
||||
@@ -80,7 +80,7 @@ installdirs: |
||||
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${libdir} |
||||
|
||||
install:: timestamp installdirs |
||||
- ${LIBTOOL_MODE_INSTALL} ${INSTALL_DATA} libisccc.@A@ ${DESTDIR}${libdir} |
||||
+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} libisccc.@A@ ${DESTDIR}${libdir} |
||||
|
||||
clean distclean:: |
||||
rm -f libisccc.@A@ timestamp |
||||
diff -up bind-9.7.0rc2/lib/isccfg/Makefile.in.nonexec bind-9.7.0rc2/lib/isccfg/Makefile.in |
||||
--- bind-9.7.0rc2/lib/isccfg/Makefile.in.nonexec 2009-12-06 00:31:41.000000000 +0100 |
||||
+++ bind-9.7.0rc2/lib/isccfg/Makefile.in 2010-01-28 12:13:33.406696161 +0100 |
||||
@@ -77,7 +77,7 @@ installdirs: |
||||
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${libdir} |
||||
|
||||
install:: timestamp installdirs |
||||
- ${LIBTOOL_MODE_INSTALL} ${INSTALL_DATA} libisccfg.@A@ ${DESTDIR}${libdir} |
||||
+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} libisccfg.@A@ ${DESTDIR}${libdir} |
||||
|
||||
clean distclean:: |
||||
rm -f libisccfg.@A@ timestamp |
||||
diff -up bind-9.7.0rc2/lib/isc/Makefile.in.nonexec bind-9.7.0rc2/lib/isc/Makefile.in |
||||
--- bind-9.7.0rc2/lib/isc/Makefile.in.nonexec 2009-12-18 05:09:55.000000000 +0100 |
||||
+++ bind-9.7.0rc2/lib/isc/Makefile.in 2010-01-28 12:13:53.566696766 +0100 |
||||
@@ -121,7 +121,7 @@ installdirs: |
||||
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${libdir} |
||||
|
||||
install:: timestamp installdirs |
||||
- ${LIBTOOL_MODE_INSTALL} ${INSTALL_DATA} libisc.@A@ ${DESTDIR}${libdir} |
||||
+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} libisc.@A@ ${DESTDIR}${libdir} |
||||
|
||||
clean distclean:: |
||||
rm -f libisc.@A@ libisc-nosymtbl.@A@ libisc.la \ |
||||
diff -up bind-9.7.0rc2/lib/lwres/Makefile.in.nonexec bind-9.7.0rc2/lib/lwres/Makefile.in |
||||
--- bind-9.7.0rc2/lib/lwres/Makefile.in.nonexec 2007-06-20 01:47:22.000000000 +0200 |
||||
+++ bind-9.7.0rc2/lib/lwres/Makefile.in 2010-01-28 12:13:33.406696161 +0100 |
||||
@@ -78,7 +78,7 @@ installdirs: |
||||
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${libdir} |
||||
|
||||
install:: timestamp installdirs |
||||
- ${LIBTOOL_MODE_INSTALL} ${INSTALL_DATA} liblwres.@A@ ${DESTDIR}${libdir} |
||||
+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} liblwres.@A@ ${DESTDIR}${libdir} |
||||
|
||||
clean distclean:: |
||||
rm -f liblwres.@A@ liblwres.la timestamp |
@ -0,0 +1,69 @@
@@ -0,0 +1,69 @@
|
||||
# The bind.keys file is used to override the built-in DNSSEC trust anchors |
||||
# which are included as part of BIND 9. As of the current release, the only |
||||
# trust anchors it contains are those for the DNS root zone ("."), and for |
||||
# the ISC DNSSEC Lookaside Validation zone ("dlv.isc.org"). Trust anchors |
||||
# for any other zones MUST be configured elsewhere; if they are configured |
||||
# here, they will not be recognized or used by named. |
||||
# |
||||
# The built-in trust anchors are provided for convenience of configuration. |
||||
# They are not activated within named.conf unless specifically switched on. |
||||
# To use the built-in root key, set "dnssec-validation auto;" in |
||||
# named.conf options. To use the built-in DLV key, set |
||||
# "dnssec-lookaside auto;". Without these options being set, |
||||
# the keys in this file are ignored. |
||||
# |
||||
# This file is NOT expected to be user-configured. |
||||
# |
||||
# These keys are current as of Feburary 2017. If any key fails to |
||||
# initialize correctly, it may have expired. In that event you should |
||||
# replace this file with a current version. The latest version of |
||||
# bind.keys can always be obtained from ISC at https://www.isc.org/bind-keys. |
||||
|
||||
managed-keys { |
||||
# ISC DLV: See https://www.isc.org/solutions/dlv for details. |
||||
# |
||||
# NOTE: The ISC DLV zone is being phased out as of February 2017; |
||||
# the key will remain in place but the zone will be otherwise empty. |
||||
# Configuring "dnssec-lookaside auto;" to activate this key is |
||||
# harmless, but is no longer useful and is not recommended. |
||||
dlv.isc.org. initial-key 257 3 5 "BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2 |
||||
brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+ |
||||
1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5 |
||||
ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk |
||||
Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM |
||||
QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt |
||||
TDN0YUuWrBNh"; |
||||
|
||||
# ROOT KEYS: See https://data.iana.org/root-anchors/root-anchors.xml |
||||
# for current trust anchor information. |
||||
# |
||||
# These keys are activated by setting "dnssec-validation auto;" |
||||
# in named.conf. |
||||
# |
||||
# This key (19036) is to be phased out starting in 2017. It will |
||||
# remain in the root zone for some time after its successor key |
||||
# has been added. It will remain this file until it is removed from |
||||
# the root zone. |
||||
. initial-key 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF |
||||
FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX |
||||
bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD |
||||
X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz |
||||
W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS |
||||
Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq |
||||
QxA+Uk1ihz0="; |
||||
|
||||
# This key (20326) is to be published in the root zone in 2017. |
||||
# Servers which were already using the old key (19036) should |
||||
# roll seamlessly to this new one via RFC 5011 rollover. Servers |
||||
# being set up for the first time can use the contents of this |
||||
# file as initializing keys; thereafter, the keys in the |
||||
# managed key database will be trusted and maintained |
||||
# automatically. |
||||
. initial-key 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3 |
||||
+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv |
||||
ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF |
||||
0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e |
||||
oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd |
||||
RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN |
||||
R1AkUTV74bU="; |
||||
}; |
@ -0,0 +1 @@
@@ -0,0 +1 @@
|
||||
d /run/named 0755 named named - |
@ -0,0 +1,95 @@
@@ -0,0 +1,95 @@
|
||||
? patch |
||||
? lib/isc/lex.c.rh490837 |
||||
Index: lib/isc/lex.c |
||||
=================================================================== |
||||
RCS file: /var/snap/bind9/lib/isc/lex.c,v |
||||
retrieving revision 1.86 |
||||
diff -p -u -r1.86 lex.c |
||||
--- lib/isc/lex.c 17 Sep 2007 09:56:29 -0000 1.86 |
||||
+++ lib/isc/lex.c 6 Apr 2009 13:24:15 -0000 |
||||
@@ -425,17 +425,14 @@ isc_lex_gettoken(isc_lex_t *lex, unsigne |
||||
if (source->is_file) { |
||||
stream = source->input; |
||||
|
||||
-#if defined(HAVE_FLOCKFILE) && defined(HAVE_GETCUNLOCKED) |
||||
- c = getc_unlocked(stream); |
||||
-#else |
||||
- c = getc(stream); |
||||
-#endif |
||||
- if (c == EOF) { |
||||
- if (ferror(stream)) { |
||||
- source->result = ISC_R_IOERROR; |
||||
- result = source->result; |
||||
+ result = isc_stdio_fgetc(stream, &c); |
||||
+ |
||||
+ if (result != ISC_R_SUCCESS) { |
||||
+ if (result != ISC_R_EOF) { |
||||
+ source->result = result; |
||||
goto done; |
||||
} |
||||
+ |
||||
source->at_eof = ISC_TRUE; |
||||
} |
||||
} else { |
||||
Index: lib/isc/include/isc/stdio.h |
||||
=================================================================== |
||||
RCS file: /var/snap/bind9/lib/isc/include/isc/stdio.h,v |
||||
retrieving revision 1.13 |
||||
diff -p -u -r1.13 stdio.h |
||||
--- lib/isc/include/isc/stdio.h 19 Jun 2007 23:47:18 -0000 1.13 |
||||
+++ lib/isc/include/isc/stdio.h 6 Apr 2009 13:24:15 -0000 |
||||
@@ -72,6 +72,9 @@ isc_stdio_sync(FILE *f); |
||||
* direct counterpart in the stdio library. |
||||
*/ |
||||
|
||||
+isc_result_t |
||||
+isc_stdio_fgetc(FILE *f, int *ret); |
||||
+ |
||||
ISC_LANG_ENDDECLS |
||||
|
||||
#endif /* ISC_STDIO_H */ |
||||
Index: lib/isc/unix/errno2result.c |
||||
=================================================================== |
||||
RCS file: /var/snap/bind9/lib/isc/unix/errno2result.c,v |
||||
retrieving revision 1.17 |
||||
diff -p -u -r1.17 errno2result.c |
||||
--- lib/isc/unix/errno2result.c 19 Jun 2007 23:47:18 -0000 1.17 |
||||
+++ lib/isc/unix/errno2result.c 6 Apr 2009 13:24:15 -0000 |
||||
@@ -43,6 +43,7 @@ isc__errno2result(int posixerrno) { |
||||
case EINVAL: /* XXX sometimes this is not for files */ |
||||
case ENAMETOOLONG: |
||||
case EBADF: |
||||
+ case EISDIR: |
||||
return (ISC_R_INVALIDFILE); |
||||
case ENOENT: |
||||
return (ISC_R_FILENOTFOUND); |
||||
Index: lib/isc/unix/stdio.c |
||||
=================================================================== |
||||
RCS file: /var/snap/bind9/lib/isc/unix/stdio.c,v |
||||
retrieving revision 1.8 |
||||
diff -p -u -r1.8 stdio.c |
||||
--- lib/isc/unix/stdio.c 19 Jun 2007 23:47:18 -0000 1.8 |
||||
+++ lib/isc/unix/stdio.c 6 Apr 2009 13:24:15 -0000 |
||||
@@ -115,3 +115,22 @@ isc_stdio_sync(FILE *f) { |
||||
return (isc__errno2result(errno)); |
||||
} |
||||
|
||||
+isc_result_t |
||||
+isc_stdio_fgetc(FILE *f, int *ret) { |
||||
+ int r; |
||||
+ isc_result_t result = ISC_R_SUCCESS; |
||||
+ |
||||
+#if defined(HAVE_FLOCKFILE) && defined(HAVE_GETCUNLOCKED) |
||||
+ r = fgetc_unlocked(f); |
||||
+#else |
||||
+ r = fgets(f); |
||||
+#endif |
||||
+ |
||||
+ if (r == EOF) |
||||
+ result = ferror(f) ? isc__errno2result(errno) : ISC_R_EOF; |
||||
+ |
||||
+ *ret = r; |
||||
+ |
||||
+ return result; |
||||
+} |
||||
+ |
@ -0,0 +1,26 @@
@@ -0,0 +1,26 @@
|
||||
From 23c33ea76e916cc16e354faa218b6a0ca6385d00 Mon Sep 17 00:00:00 2001 |
||||
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com> |
||||
Date: Tue, 5 Dec 2017 16:33:08 +0100 |
||||
Subject: [PATCH] Fix bug #726120 |
||||
|
||||
--- |
||||
bin/dig/dighost.c | 3 ++- |
||||
1 file changed, 2 insertions(+), 1 deletion(-) |
||||
|
||||
diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c |
||||
index 42a2fe2..3a066c6 100644 |
||||
--- a/bin/dig/dighost.c |
||||
+++ b/bin/dig/dighost.c |
||||
@@ -3416,7 +3416,8 @@ recv_done(isc_task_t *task, isc_event_t *event) { |
||||
return; |
||||
} |
||||
if ((msg->rcode == dns_rcode_servfail && !l->servfail_stops) || |
||||
- (check_ra && (msg->flags & DNS_MESSAGEFLAG_RA) == 0 && l->recurse)) |
||||
+ (check_ra && (msg->flags & DNS_MESSAGEFLAG_RA) == 0 && |
||||
+ msg->rcode != dns_rcode_noerror && l->recurse)) |
||||
{ |
||||
dig_query_t *next = ISC_LIST_NEXT(query, link); |
||||
if (l->current_query == query) |
||||
-- |
||||
2.9.5 |
||||
|
@ -0,0 +1,19 @@
@@ -0,0 +1,19 @@
|
||||
diff -up bind-9.5.1b1/bin/dig/dighost.c.rh461409 bind-9.5.1b1/bin/dig/dighost.c |
||||
--- bind-9.5.1b1/bin/dig/dighost.c.rh461409 2008-09-16 14:04:03.000000000 +0200 |
||||
+++ bind-9.5.1b1/bin/dig/dighost.c 2008-09-16 14:06:06.000000000 +0200 |
||||
@@ -3665,6 +3665,15 @@ output_filter (isc_buffer_t *buffer, uns |
||||
(void) strcpy (tmp1, tmp2); |
||||
free (tmp2); |
||||
|
||||
+ tmp2 = stringprep_utf8_to_locale (tmp1); |
||||
+ if (tmp2 == NULL) { |
||||
+ debug ("output_filter: stringprep_utf8_to_locale failed"); |
||||
+ return ISC_R_SUCCESS; |
||||
+ } |
||||
+ |
||||
+ (void) strcpy (tmp1, tmp2); |
||||
+ free (tmp2); |
||||
+ |
||||
tolen = strlen (tmp1); |
||||
if (absolute && !end_with_dot && tmp1[tolen - 1] == '.') |
||||
tolen--; |
@ -0,0 +1,226 @@
@@ -0,0 +1,226 @@
|
||||
diff -up bind-9.9.3rc2/isc-config.sh.in.exportlib bind-9.9.3rc2/isc-config.sh.in |
||||
diff -up bind-9.9.3rc2/lib/export/dns/Makefile.in.exportlib bind-9.9.3rc2/lib/export/dns/Makefile.in |
||||
--- bind-9.9.3rc2/lib/export/dns/Makefile.in.exportlib 2013-04-30 08:38:46.000000000 +0200 |
||||
+++ bind-9.9.3rc2/lib/export/dns/Makefile.in 2013-05-13 10:45:22.574089729 +0200 |
||||
@@ -35,9 +35,9 @@ CDEFINES = -DUSE_MD5 @USE_OPENSSL@ @USE_ |
||||
|
||||
CWARNINGS = |
||||
|
||||
-ISCLIBS = ../isc/libisc.@A@ |
||||
+ISCLIBS = ../isc/libisc-export.@A@ |
||||
|
||||
-ISCDEPLIBS = ../isc/libisc.@A@ |
||||
+ISCDEPLIBS = ../isc/libisc-export.@A@ |
||||
|
||||
LIBS = @LIBS@ |
||||
|
||||
@@ -116,29 +116,29 @@ version.@O@: ${srcdir}/version.c |
||||
-DLIBAGE=${LIBAGE} \ |
||||
-c ${srcdir}/version.c |
||||
|
||||
-libdns.@SA@: ${OBJS} |
||||
+libdns-export.@SA@: ${OBJS} |
||||
${AR} ${ARFLAGS} $@ ${OBJS} |
||||
${RANLIB} $@ |
||||
|
||||
-libdns.la: ${OBJS} |
||||
+libdns-export.la: ${OBJS} |
||||
${LIBTOOL_MODE_LINK} \ |
||||
- ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libdns.la \ |
||||
+ ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libdns-export.la \ |
||||
-rpath ${export_libdir} \ |
||||
-version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \ |
||||
${OBJS} ${ISCLIBS} @DNS_CRYPTO_LIBS@ ${LIBS} |
||||
|
||||
-timestamp: libdns.@A@ |
||||
+timestamp: libdns-export.@A@ |
||||
touch timestamp |
||||
|
||||
installdirs: |
||||
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${export_libdir} |
||||
|
||||
install:: timestamp installdirs |
||||
- ${LIBTOOL_MODE_INSTALL} ${INSTALL_DATA} libdns.@A@ \ |
||||
+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} libdns-export.@A@ \ |
||||
${DESTDIR}${export_libdir}/ |
||||
|
||||
clean distclean:: |
||||
- rm -f libdns.@A@ timestamp |
||||
+ rm -f libdns-export.@A@ timestamp |
||||
rm -f gen code.h include/dns/enumtype.h include/dns/enumclass.h |
||||
rm -f include/dns/rdatastruct.h |
||||
|
||||
diff -up bind-9.9.3rc2/lib/export/irs/Makefile.in.exportlib bind-9.9.3rc2/lib/export/irs/Makefile.in |
||||
--- bind-9.9.3rc2/lib/export/irs/Makefile.in.exportlib 2013-04-30 08:38:46.000000000 +0200 |
||||
+++ bind-9.9.3rc2/lib/export/irs/Makefile.in 2013-05-13 10:45:22.575089729 +0200 |
||||
@@ -43,9 +43,9 @@ SRCS = context.c \ |
||||
gai_sterror.c getaddrinfo.c getnameinfo.c \ |
||||
resconf.c |
||||
|
||||
-ISCLIBS = ../isc/libisc.@A@ |
||||
-DNSLIBS = ../dns/libdns.@A@ |
||||
-ISCCFGLIBS = ../isccfg/libisccfg.@A@ |
||||
+ISCLIBS = ../isc/libisc-export.@A@ |
||||
+DNSLIBS = ../dns/libdns-export.@A@ |
||||
+ISCCFGLIBS = ../isccfg/libisccfg-export.@A@ |
||||
|
||||
LIBS = @LIBS@ |
||||
|
||||
@@ -62,26 +62,26 @@ version.@O@: ${srcdir}/version.c |
||||
-DLIBAGE=${LIBAGE} \ |
||||
-c ${srcdir}/version.c |
||||
|
||||
-libirs.@SA@: ${OBJS} version.@O@ |
||||
+libirs-export.@SA@: ${OBJS} version.@O@ |
||||
${AR} ${ARFLAGS} $@ ${OBJS} version.@O@ |
||||
${RANLIB} $@ |
||||
|
||||
-libirs.la: ${OBJS} version.@O@ |
||||
+libirs-export.la: ${OBJS} version.@O@ |
||||
${LIBTOOL_MODE_LINK} \ |
||||
- ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libirs.la \ |
||||
+ ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libirs-export.la \ |
||||
-rpath ${export_libdir} \ |
||||
-version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \ |
||||
${OBJS} version.@O@ ${LIBS} ${ISCCFGLIBS} ${DNSLIBS} ${ISCLIBS} |
||||
|
||||
-timestamp: libirs.@A@ |
||||
+timestamp: libirs-export.@A@ |
||||
touch timestamp |
||||
|
||||
installdirs: |
||||
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${export_libdir} |
||||
|
||||
install:: timestamp installdirs |
||||
- ${LIBTOOL_MODE_INSTALL} ${INSTALL_DATA} libirs.@A@ \ |
||||
+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} libirs-export.@A@ \ |
||||
${DESTDIR}${export_libdir}/ |
||||
|
||||
clean distclean:: |
||||
- rm -f libirs.@A@ libirs.la timestamp |
||||
+ rm -f libirs-export.@A@ libirs-export.la timestamp |
||||
diff -up bind-9.9.3rc2/lib/export/isccfg/Makefile.in.exportlib bind-9.9.3rc2/lib/export/isccfg/Makefile.in |
||||
--- bind-9.9.3rc2/lib/export/isccfg/Makefile.in.exportlib 2013-04-30 08:38:46.000000000 +0200 |
||||
+++ bind-9.9.3rc2/lib/export/isccfg/Makefile.in 2013-05-13 10:45:22.576089729 +0200 |
||||
@@ -30,11 +30,11 @@ CINCLUDES = -I. ${DNS_INCLUDES} -I${expo |
||||
CDEFINES = |
||||
CWARNINGS = |
||||
|
||||
-ISCLIBS = ../isc/libisc.@A@ |
||||
-DNSLIBS = ../dns/libdns.@A@ @DNS_CRYPTO_LIBS@ |
||||
+ISCLIBS = ../isc/libisc-export.@A@ |
||||
+DNSLIBS = ../dns/libdns-export.@A@ @DNS_CRYPTO_LIBS@ |
||||
|
||||
ISCDEPLIBS = ../../lib/isc/libisc.@A@ |
||||
-ISCCFGDEPLIBS = libisccfg.@A@ |
||||
+ISCCFGDEPLIBS = libisccfg-export.@A@ |
||||
|
||||
LIBS = @LIBS@ |
||||
|
||||
@@ -58,26 +58,26 @@ version.@O@: ${srcdir}/version.c |
||||
-DLIBAGE=${LIBAGE} \ |
||||
-c ${srcdir}/version.c |
||||
|
||||
-libisccfg.@SA@: ${OBJS} |
||||
+libisccfg-export.@SA@: ${OBJS} |
||||
${AR} ${ARFLAGS} $@ ${OBJS} |
||||
${RANLIB} $@ |
||||
|
||||
-libisccfg.la: ${OBJS} |
||||
+libisccfg-export.la: ${OBJS} |
||||
${LIBTOOL_MODE_LINK} \ |
||||
- ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libisccfg.la \ |
||||
+ ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libisccfg-export.la \ |
||||
-rpath ${export_libdir} \ |
||||
-version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \ |
||||
${OBJS} ${LIBS} ${DNSLIBS} ${ISCLIBS} |
||||
|
||||
-timestamp: libisccfg.@A@ |
||||
+timestamp: libisccfg-export.@A@ |
||||
touch timestamp |
||||
|
||||
installdirs: |
||||
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${export_libdir} |
||||
|
||||
install:: timestamp installdirs |
||||
- ${LIBTOOL_MODE_INSTALL} ${INSTALL_DATA} libisccfg.@A@ \ |
||||
+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} libisccfg-export.@A@ \ |
||||
${DESTDIR}${export_libdir}/ |
||||
|
||||
clean distclean:: |
||||
- rm -f libisccfg.@A@ timestamp |
||||
+ rm -f libisccfg-export.@A@ timestamp |
||||
diff -up bind-9.9.3rc2/lib/export/isc/Makefile.in.exportlib bind-9.9.3rc2/lib/export/isc/Makefile.in |
||||
--- bind-9.9.3rc2/lib/export/isc/Makefile.in.exportlib 2013-04-30 08:38:46.000000000 +0200 |
||||
+++ bind-9.9.3rc2/lib/export/isc/Makefile.in 2013-05-13 10:45:22.576089729 +0200 |
||||
@@ -100,6 +100,10 @@ SRCS = @ISC_EXTRA_SRCS@ \ |
||||
|
||||
LIBS = @LIBS@ |
||||
|
||||
+# Note: the order of SUBDIRS is important. |
||||
+# Attempt to disable parallel processing. |
||||
+.NOTPARALLEL: |
||||
+.NO_PARALLEL: |
||||
SUBDIRS = include unix nls @ISC_THREAD_DIR@ |
||||
TARGETS = timestamp |
||||
|
||||
@@ -113,26 +117,26 @@ version.@O@: ${srcdir}/version.c |
||||
-DLIBAGE=${LIBAGE} \ |
||||
-c ${srcdir}/version.c |
||||
|
||||
-libisc.@SA@: ${OBJS} |
||||
+libisc-export.@SA@: ${OBJS} |
||||
${AR} ${ARFLAGS} $@ ${OBJS} |
||||
${RANLIB} $@ |
||||
|
||||
-libisc.la: ${OBJS} |
||||
+libisc-export.la: ${OBJS} |
||||
${LIBTOOL_MODE_LINK} \ |
||||
- ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libisc.la \ |
||||
+ ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libisc-export.la \ |
||||
-rpath ${export_libdir} \ |
||||
-version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \ |
||||
${OBJS} ${LIBS} |
||||
|
||||
-timestamp: libisc.@A@ |
||||
+timestamp: libisc-export.@A@ |
||||
touch timestamp |
||||
|
||||
installdirs: |
||||
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${export_libdir} |
||||
|
||||
install:: timestamp installdirs |
||||
- ${LIBTOOL_MODE_INSTALL} ${INSTALL_DATA} libisc.@A@ \ |
||||
+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} libisc-export.@A@ \ |
||||
${DESTDIR}${export_libdir} |
||||
|
||||
clean distclean:: |
||||
- rm -f libisc.@A@ libisc.la timestamp |
||||
+ rm -f libisc-export.@A@ libisc-export.la timestamp |
||||
diff -up bind-9.9.3rc2/lib/export/samples/Makefile.in.exportlib bind-9.9.3rc2/lib/export/samples/Makefile.in |
||||
--- bind-9.9.3rc2/lib/export/samples/Makefile.in.exportlib 2013-04-30 08:38:46.000000000 +0200 |
||||
+++ bind-9.9.3rc2/lib/export/samples/Makefile.in 2013-05-13 10:45:22.577089729 +0200 |
||||
@@ -31,15 +31,15 @@ CINCLUDES = -I${srcdir}/include -I../dns |
||||
CDEFINES = |
||||
CWARNINGS = |
||||
|
||||
-DNSLIBS = ../dns/libdns.@A@ @DNS_CRYPTO_LIBS@ |
||||
-ISCLIBS = ../isc/libisc.@A@ |
||||
-ISCCFGLIBS = ../isccfg/libisccfg.@A@ |
||||
-IRSLIBS = ../irs/libirs.@A@ |
||||
+DNSLIBS = ../dns/libdns-export.@A@ @DNS_CRYPTO_LIBS@ |
||||
+ISCLIBS = ../isc/libisc-export.@A@ |
||||
+ISCCFGLIBS = ../isccfg/libisccfg-export.@A@ |
||||
+IRSLIBS = ../irs/libirs-export.@A@ |
||||
|
||||
-DNSDEPLIBS = ../dns/libdns.@A@ |
||||
-ISCDEPLIBS = ../isc/libisc.@A@ |
||||
-ISCCFGDEPLIBS = ../isccfg/libisccfg.@A@ |
||||
-IRSDEPLIBS = ../irs/libirs.@A@ |
||||
+DNSDEPLIBS = ../dns/libdns-export.@A@ |
||||
+ISCDEPLIBS = ../isc/libisc-export.@A@ |
||||
+ISCCFGDEPLIBS = ../isccfg/libisccfg-export.@A@ |
||||
+IRSDEPLIBS = ../irs/libirs-export.@A@ |
||||
|
||||
DEPLIBS = ${DNSDEPLIBS} ${ISCCFGDEPLIBS} ${ISCDEPLIBS} |
||||
|
@ -0,0 +1,30 @@
@@ -0,0 +1,30 @@
|
||||
diff -up bind-9.7.0/configure.in.rh478718 bind-9.7.0/configure.in |
||||
--- bind-9.7.0/configure.in.rh478718 2010-03-01 14:50:02.331207076 +0100 |
||||
+++ bind-9.7.0/configure.in 2010-03-01 14:50:21.501207488 +0100 |
||||
@@ -2540,6 +2540,10 @@ main() { |
||||
AC_MSG_RESULT($arch) |
||||
fi |
||||
|
||||
+if test ! "$arch" = "x86_64" -a "$have_xaddq" = "yes"; then |
||||
+ AC_MSG_ERROR([XADDQ present but disabled by Fedora patch!]) |
||||
+fi |
||||
+ |
||||
if test "$have_atomic" = "yes"; then |
||||
AC_MSG_CHECKING([compiler support for inline assembly code]) |
||||
|
||||
diff -up bind-9.7.0/lib/isc/include/isc/platform.h.in.rh478718 bind-9.7.0/lib/isc/include/isc/platform.h.in |
||||
--- bind-9.7.0/lib/isc/include/isc/platform.h.in.rh478718 2010-03-01 14:50:31.421207522 +0100 |
||||
+++ bind-9.7.0/lib/isc/include/isc/platform.h.in 2010-03-01 14:50:40.313707286 +0100 |
||||
@@ -255,7 +255,11 @@ |
||||
* If the "xaddq" operation (64bit xadd) is available on this architecture, |
||||
* ISC_PLATFORM_HAVEXADDQ will be defined. |
||||
*/ |
||||
-@ISC_PLATFORM_HAVEXADDQ@ |
||||
+#ifdef __x86_64__ |
||||
+#define ISC_PLATFORM_HAVEXADDQ 1 |
||||
+#else |
||||
+#undef ISC_PLATFORM_HAVEXADDQ |
||||
+#endif |
||||
|
||||
/* |
||||
* If the "atomic swap" operation is available on this architecture, |
@ -0,0 +1,153 @@
@@ -0,0 +1,153 @@
|
||||
diff -up bind-9.7.2b1/bin/dig/dighost.c.rh570851 bind-9.7.2b1/bin/dig/dighost.c |
||||
--- bind-9.7.2b1/bin/dig/dighost.c.rh570851 2010-08-10 12:55:14.219403986 +0200 |
||||
+++ bind-9.7.2b1/bin/dig/dighost.c 2010-08-10 12:56:40.716015777 +0200 |
||||
@@ -126,7 +126,8 @@ isc_boolean_t |
||||
usesearch = ISC_FALSE, |
||||
showsearch = ISC_FALSE, |
||||
qr = ISC_FALSE, |
||||
- is_dst_up = ISC_FALSE; |
||||
+ is_dst_up = ISC_FALSE, |
||||
+ verbose = ISC_FALSE; |
||||
in_port_t port = 53; |
||||
unsigned int timeout = 0; |
||||
unsigned int extrabytes; |
||||
@@ -1240,10 +1241,24 @@ setup_system(void) { |
||||
} |
||||
} |
||||
|
||||
+ if (lwconf->resdebug) { |
||||
+ verbose = ISC_TRUE; |
||||
+ debug("verbose is on"); |
||||
+ } |
||||
if (ndots == -1) { |
||||
ndots = lwconf->ndots; |
||||
debug("ndots is %d.", ndots); |
||||
} |
||||
+ if (lwconf->attempts) { |
||||
+ tries = lwconf->attempts + 1; |
||||
+ if (tries < 2) |
||||
+ tries = 2; |
||||
+ debug("tries is %d.", tries); |
||||
+ } |
||||
+ if (lwconf->timeout) { |
||||
+ timeout = lwconf->timeout; |
||||
+ debug("timeout is %d.", timeout); |
||||
+ } |
||||
|
||||
/* If user doesn't specify server use nameservers from resolv.conf. */ |
||||
if (ISC_LIST_EMPTY(server_list)) |
||||
diff -up bind-9.7.2b1/bin/dig/host.c.rh570851 bind-9.7.2b1/bin/dig/host.c |
||||
--- bind-9.7.2b1/bin/dig/host.c.rh570851 2010-08-10 12:57:16.032758098 +0200 |
||||
+++ bind-9.7.2b1/bin/dig/host.c 2010-08-10 13:02:12.848559845 +0200 |
||||
@@ -659,6 +659,7 @@ parse_args(isc_boolean_t is_batchfile, i |
||||
|
||||
lookup->servfail_stops = ISC_FALSE; |
||||
lookup->comments = ISC_FALSE; |
||||
+ short_form = !verbose; |
||||
|
||||
while ((c = isc_commandline_parse(argc, argv, optstring)) != -1) { |
||||
switch (c) { |
||||
@@ -869,8 +870,8 @@ main(int argc, char **argv) { |
||||
result = isc_app_start(); |
||||
check_result(result, "isc_app_start"); |
||||
setup_libs(); |
||||
- parse_args(ISC_FALSE, argc, argv); |
||||
setup_system(); |
||||
+ parse_args(ISC_FALSE, argc, argv); |
||||
result = isc_app_onrun(mctx, global_task, onrun_callback, NULL); |
||||
check_result(result, "isc_app_onrun"); |
||||
isc_app_run(); |
||||
diff -up bind-9.7.2b1/bin/dig/include/dig/dig.h.rh570851 bind-9.7.2b1/bin/dig/include/dig/dig.h |
||||
--- bind-9.7.2b1/bin/dig/include/dig/dig.h.rh570851 2010-08-10 13:02:32.722244088 +0200 |
||||
+++ bind-9.7.2b1/bin/dig/include/dig/dig.h 2010-08-10 13:02:48.465158159 +0200 |
||||
@@ -278,6 +278,7 @@ extern isc_boolean_t debugging, memdebug |
||||
extern char *progname; |
||||
extern int tries; |
||||
extern int fatalexit; |
||||
+extern isc_boolean_t verbose; |
||||
#ifdef WITH_IDN |
||||
extern int idnoptions; |
||||
#endif |
||||
diff -up bind-9.7.2b1/lib/lwres/include/lwres/lwres.h.rh570851 bind-9.7.2b1/lib/lwres/include/lwres/lwres.h |
||||
--- bind-9.7.2b1/lib/lwres/include/lwres/lwres.h.rh570851 2010-08-10 13:04:40.465780506 +0200 |
||||
+++ bind-9.7.2b1/lib/lwres/include/lwres/lwres.h 2010-08-10 13:05:57.559867830 +0200 |
||||
@@ -243,6 +243,8 @@ typedef struct { |
||||
lwres_uint8_t resdebug; /*%< non-zero if 'options debug' set */ |
||||
lwres_uint8_t ndots; /*%< set to n in 'options ndots:n' */ |
||||
lwres_uint8_t no_tld_query; /*%< non-zero if 'options no_tld_query' */ |
||||
+ lwres_int32_t attempts; /*%< set to n in 'options attempts:n' */ |
||||
+ lwres_int32_t timeout; /*%< set to n in 'options timeout:n' */ |
||||
} lwres_conf_t; |
||||
|
||||
#define LWRES_ADDRTYPE_V4 0x00000001U /*%< ipv4 */ |
||||
diff -up bind-9.7.2b1/lib/lwres/lwconfig.c.rh570851 bind-9.7.2b1/lib/lwres/lwconfig.c |
||||
--- bind-9.7.2b1/lib/lwres/lwconfig.c.rh570851 2010-08-10 13:06:08.051778429 +0200 |
||||
+++ bind-9.7.2b1/lib/lwres/lwconfig.c 2010-08-10 13:09:53.972555776 +0200 |
||||
@@ -237,6 +237,8 @@ lwres_conf_init(lwres_context_t *ctx) { |
||||
confdata->resdebug = 0; |
||||
confdata->ndots = 1; |
||||
confdata->no_tld_query = 0; |
||||
+ confdata->attempts = 0; |
||||
+ confdata->timeout = 0; |
||||
|
||||
for (i = 0; i < LWRES_CONFMAXNAMESERVERS; i++) |
||||
lwres_resetaddr(&confdata->nameservers[i]); |
||||
@@ -289,6 +291,8 @@ lwres_conf_clear(lwres_context_t *ctx) { |
||||
confdata->resdebug = 0; |
||||
confdata->ndots = 1; |
||||
confdata->no_tld_query = 0; |
||||
+ confdata->attempts = 0; |
||||
+ confdata->timeout = 0; |
||||
} |
||||
|
||||
static lwres_result_t |
||||
@@ -530,6 +534,8 @@ static lwres_result_t |
||||
lwres_conf_parseoption(lwres_context_t *ctx, FILE *fp) { |
||||
int delim; |
||||
long ndots; |
||||
+ long attempts; |
||||
+ long timeout; |
||||
char *p; |
||||
char word[LWRES_CONFMAXLINELEN]; |
||||
lwres_conf_t *confdata; |
||||
@@ -546,6 +552,8 @@ lwres_conf_parseoption(lwres_context_t * |
||||
confdata->resdebug = 1; |
||||
} else if (strcmp("no_tld_query", word) == 0) { |
||||
confdata->no_tld_query = 1; |
||||
+ } else if (strcmp("debug", word) == 0) { |
||||
+ confdata->resdebug = 1; |
||||
} else if (strncmp("ndots:", word, 6) == 0) { |
||||
ndots = strtol(word + 6, &p, 10); |
||||
if (*p != '\0') /* Bad string. */ |
||||
@@ -553,6 +561,18 @@ lwres_conf_parseoption(lwres_context_t * |
||||
if (ndots < 0 || ndots > 0xff) /* Out of range. */ |
||||
return (LWRES_R_FAILURE); |
||||
confdata->ndots = (lwres_uint8_t)ndots; |
||||
+ } else if (strncmp("timeout:", word, 8) == 0) { |
||||
+ timeout = strtol(word + 8, &p, 10); |
||||
+ if (*p != '\0') /* Bad string. */ |
||||
+ return (LWRES_R_FAILURE); |
||||
+ confdata->timeout = (lwres_int32_t)timeout; |
||||
+ } else if (strncmp("attempts:", word, 9) == 0) { |
||||
+ attempts = strtol(word + 9, &p, 10); |
||||
+ if (*p != '\0') /* Bad string. */ |
||||
+ return (LWRES_R_FAILURE); |
||||
+ if (attempts < 0) /* Out of range. */ |
||||
+ return (LWRES_R_FAILURE); |
||||
+ confdata->attempts = (lwres_int32_t)attempts; |
||||
} |
||||
|
||||
if (delim == EOF || delim == '\n') |
||||
@@ -716,6 +736,12 @@ lwres_conf_print(lwres_context_t *ctx, F |
||||
if (confdata->no_tld_query) |
||||
fprintf(fp, "options no_tld_query\n"); |
||||
|
||||
+ if (confdata->attempts) |
||||
+ fprintf(fp, "options attempts:%d\n", confdata->attempts); |
||||
+ |
||||
+ if (confdata->timeout) |
||||
+ fprintf(fp, "options timeout:%d\n", confdata->timeout); |
||||
+ |
||||
return (LWRES_R_SUCCESS); |
||||
} |
||||
|
@ -0,0 +1,30 @@
@@ -0,0 +1,30 @@
|
||||
diff -up bind-9.9.4rc2/lib/dns/resolver.c.rh645544 bind-9.9.4rc2/lib/dns/resolver.c |
||||
--- bind-9.9.4rc2/lib/dns/resolver.c.rh645544 2013-08-19 10:30:52.000000000 +0200 |
||||
+++ bind-9.9.4rc2/lib/dns/resolver.c 2013-09-06 17:58:03.864165823 +0200 |
||||
@@ -1138,7 +1138,7 @@ log_edns(fetchctx_t *fctx) { |
||||
*/ |
||||
dns_name_format(&fctx->domain, domainbuf, sizeof(domainbuf)); |
||||
isc_log_write(dns_lctx, DNS_LOGCATEGORY_EDNS_DISABLED, |
||||
- DNS_LOGMODULE_RESOLVER, ISC_LOG_INFO, |
||||
+ DNS_LOGMODULE_RESOLVER, ISC_LOG_DEBUG(1), |
||||
"success resolving '%s' (in '%s'?) after %s", |
||||
fctx->info, domainbuf, fctx->reason); |
||||
|
||||
@@ -3804,7 +3804,7 @@ log_lame(fetchctx_t *fctx, dns_adbaddrin |
||||
dns_name_format(&fctx->domain, domainbuf, sizeof(domainbuf)); |
||||
isc_sockaddr_format(&addrinfo->sockaddr, addrbuf, sizeof(addrbuf)); |
||||
isc_log_write(dns_lctx, DNS_LOGCATEGORY_LAME_SERVERS, |
||||
- DNS_LOGMODULE_RESOLVER, ISC_LOG_INFO, |
||||
+ DNS_LOGMODULE_RESOLVER, ISC_LOG_DEBUG(1), |
||||
"lame server resolving '%s' (in '%s'?): %s", |
||||
namebuf, domainbuf, addrbuf); |
||||
} |
||||
@@ -3831,7 +3831,7 @@ log_formerr(fetchctx_t *fctx, const char |
||||
} |
||||
|
||||
isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER, |
||||
- DNS_LOGMODULE_RESOLVER, ISC_LOG_NOTICE, |
||||
+ DNS_LOGMODULE_RESOLVER, ISC_LOG_DEBUG(1), |
||||
"DNS format error from %s resolving %s%s%s: %s", |
||||
nsbuf, fctx->info, clmsg, clbuf, msgbuf); |
||||
} |
@ -0,0 +1,14 @@
@@ -0,0 +1,14 @@
|
||||
diff -up bind-9.7.2-P3/lib/lwres/lwconfig.c.rh669163 bind-9.7.2-P3/lib/lwres/lwconfig.c |
||||
--- bind-9.7.2-P3/lib/lwres/lwconfig.c.rh669163 2011-01-28 14:48:38.934472578 +0100 |
||||
+++ bind-9.7.2-P3/lib/lwres/lwconfig.c 2011-01-28 14:49:50.421326035 +0100 |
||||
@@ -612,6 +612,10 @@ lwres_conf_parse(lwres_context_t *ctx, c |
||||
break; |
||||
} |
||||
|
||||
+ /* Ignore options with no parameters */ |
||||
+ if (stopchar == '\n') |
||||
+ continue; |
||||
+ |
||||
if (strlen(word) == 0U) |
||||
rval = LWRES_R_SUCCESS; |
||||
else if (strcmp(word, "nameserver") == 0) |
@ -0,0 +1,35 @@
@@ -0,0 +1,35 @@
|
||||
diff -up bind-9.7.3-P3/bin/named/server.c.rh693982 bind-9.7.3-P3/bin/named/server.c |
||||
--- bind-9.7.3-P3/bin/named/server.c.rh693982 2011-08-12 17:18:55.611978110 +0200 |
||||
+++ bind-9.7.3-P3/bin/named/server.c 2011-08-12 17:19:36.009975303 +0200 |
||||
@@ -4444,15 +4444,6 @@ load_configuration(const char *filename, |
||||
ns_os_changeuser(); |
||||
|
||||
/* |
||||
- * Check that the working directory is writable. |
||||
- */ |
||||
- if (access(".", W_OK) != 0) { |
||||
- isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, |
||||
- NS_LOGMODULE_SERVER, ISC_LOG_ERROR, |
||||
- "the working directory is not writable"); |
||||
- } |
||||
- |
||||
- /* |
||||
* Configure the logging system. |
||||
* |
||||
* Do this after changing UID to make sure that any log |
||||
@@ -4498,6 +4489,15 @@ load_configuration(const char *filename, |
||||
} |
||||
|
||||
/* |
||||
+ * Check that the working directory is writable. |
||||
+ */ |
||||
+ if (access(".", W_OK) != 0) { |
||||
+ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, |
||||
+ NS_LOGMODULE_SERVER, ISC_LOG_DEBUG(1), |
||||
+ "the working directory is not writable"); |
||||
+ } |
||||
+ |
||||
+ /* |
||||
* Set the default value of the query logging flag depending |
||||
* whether a "queries" category has been defined. This is |
||||
* a disgusting hack, but we need to do this for BIND 8 |
@ -0,0 +1,40 @@
@@ -0,0 +1,40 @@
|
||||
diff -up bind-9.8.1rc1/lib/isc/unix/socket.c.rh735103 bind-9.8.1rc1/lib/isc/unix/socket.c |
||||
--- bind-9.8.1rc1/lib/isc/unix/socket.c.rh735103 2011-07-29 04:19:20.000000000 +0200 |
||||
+++ bind-9.8.1rc1/lib/isc/unix/socket.c 2011-09-07 18:49:54.100215897 +0200 |
||||
@@ -57,6 +57,20 @@ |
||||
#include <isc/util.h> |
||||
#include <isc/xml.h> |
||||
|
||||
+/* See task.c about the following definition: */ |
||||
+#ifdef BIND9 |
||||
+#ifdef ISC_PLATFORM_USETHREADS |
||||
+#define USE_WATCHER_THREAD |
||||
+#else |
||||
+#define USE_SHARED_MANAGER |
||||
+#endif /* ISC_PLATFORM_USETHREADS */ |
||||
+#else /* BIND9 */ |
||||
+#undef ISC_PLATFORM_HAVESYSUNH |
||||
+#undef ISC_PLATFORM_HAVEKQUEUE |
||||
+#undef ISC_PLATFORM_HAVEEPOLL |
||||
+#undef ISC_PLATFORM_HAVEDEVPOLL |
||||
+#endif /* BIND9 */ |
||||
+ |
||||
#ifdef ISC_PLATFORM_HAVESYSUNH |
||||
#include <sys/un.h> |
||||
#endif |
||||
@@ -76,15 +90,6 @@ |
||||
|
||||
#include "errno2result.h" |
||||
|
||||
-/* See task.c about the following definition: */ |
||||
-#ifdef BIND9 |
||||
-#ifdef ISC_PLATFORM_USETHREADS |
||||
-#define USE_WATCHER_THREAD |
||||
-#else |
||||
-#define USE_SHARED_MANAGER |
||||
-#endif /* ISC_PLATFORM_USETHREADS */ |
||||
-#endif /* BIND9 */ |
||||
- |
||||
#ifndef USE_WATCHER_THREAD |
||||
#include "socket_p.h" |
||||
#include "../task_p.h" |
@ -0,0 +1,53 @@
@@ -0,0 +1,53 @@
|
||||
diff -pruN bind-9.9.4-P1/bin/named/query.c bind-9.9.4-P2/bin/named/query.c |
||||
--- bind-9.9.4-P1/bin/named/query.c 2013-10-16 01:04:32.000000000 +0200 |
||||
+++ bind-9.9.4-P2/bin/named/query.c 2013-12-20 01:28:28.000000000 +0100 |
||||
@@ -5260,8 +5260,7 @@ query_findclosestnsec3(dns_name_t *qname |
||||
dns_fixedname_t fixed; |
||||
dns_hash_t hash; |
||||
dns_name_t name; |
||||
- int order; |
||||
- unsigned int count; |
||||
+ unsigned int skip = 0, labels; |
||||
dns_rdata_nsec3_t nsec3; |
||||
dns_rdata_t rdata = DNS_RDATA_INIT; |
||||
isc_boolean_t optout; |
||||
@@ -5276,6 +5275,7 @@ query_findclosestnsec3(dns_name_t *qname |
||||
|
||||
dns_name_init(&name, NULL); |
||||
dns_name_clone(qname, &name); |
||||
+ labels = dns_name_countlabels(&name); |
||||
dns_clientinfomethods_init(&cm, ns_client_sourceip); |
||||
dns_clientinfo_init(&ci, client); |
||||
|
||||
@@ -5309,13 +5309,14 @@ query_findclosestnsec3(dns_name_t *qname |
||||
dns_rdata_reset(&rdata); |
||||
optout = ISC_TF((nsec3.flags & DNS_NSEC3FLAG_OPTOUT) != 0); |
||||
if (found != NULL && optout && |
||||
- dns_name_fullcompare(&name, dns_db_origin(db), &order, |
||||
- &count) == dns_namereln_subdomain) { |
||||
+ dns_name_issubdomain(&name, dns_db_origin(db))) |
||||
+ { |
||||
dns_rdataset_disassociate(rdataset); |
||||
if (dns_rdataset_isassociated(sigrdataset)) |
||||
dns_rdataset_disassociate(sigrdataset); |
||||
- count = dns_name_countlabels(&name) - 1; |
||||
- dns_name_getlabelsequence(&name, 1, count, &name); |
||||
+ skip++; |
||||
+ dns_name_getlabelsequence(qname, skip, labels - skip, |
||||
+ &name); |
||||
ns_client_log(client, DNS_LOGCATEGORY_DNSSEC, |
||||
NS_LOGMODULE_QUERY, ISC_LOG_DEBUG(3), |
||||
"looking for closest provable encloser"); |
||||
@@ -5333,7 +5334,11 @@ query_findclosestnsec3(dns_name_t *qname |
||||
ns_client_log(client, DNS_LOGCATEGORY_DNSSEC, |
||||
NS_LOGMODULE_QUERY, ISC_LOG_WARNING, |
||||
"expected covering NSEC3, got an exact match"); |
||||
- if (found != NULL) |
||||
+ if (found == qname) { |
||||
+ if (skip != 0U) |
||||
+ dns_name_getlabelsequence(qname, skip, labels - skip, |
||||
+ found); |
||||
+ } else if (found != NULL) |
||||
dns_name_copy(&name, found, NULL); |
||||
return; |
||||
} |
@ -0,0 +1,924 @@
@@ -0,0 +1,924 @@
|
||||
diff -up bind-9.9.4/bin/named/config.c.CVE-2014-8500 bind-9.9.4/bin/named/config.c |
||||
--- bind-9.9.4/bin/named/config.c.CVE-2014-8500 2013-09-05 07:09:08.000000000 +0200 |
||||
+++ bind-9.9.4/bin/named/config.c 2014-12-10 14:56:24.959552559 +0100 |
||||
@@ -160,6 +160,8 @@ options {\n\ |
||||
dnssec-accept-expired no;\n\ |
||||
clients-per-query 10;\n\ |
||||
max-clients-per-query 100;\n\ |
||||
+ max-recursion-depth 7;\n\ |
||||
+ max-recursion-queries 50;\n\ |
||||
zero-no-soa-ttl-cache no;\n\ |
||||
nsec3-test-zone no;\n\ |
||||
allow-new-zones no;\n\ |
||||
diff -up bind-9.9.4/bin/named/query.c.CVE-2014-8500 bind-9.9.4/bin/named/query.c |
||||
--- bind-9.9.4/bin/named/query.c.CVE-2014-8500 2014-12-10 14:56:24.945552543 +0100 |
||||
+++ bind-9.9.4/bin/named/query.c 2014-12-10 14:56:24.960552560 +0100 |
||||
@@ -3872,12 +3872,11 @@ query_recurse(ns_client_t *client, dns_r |
||||
peeraddr = &client->peeraddr; |
||||
else |
||||
peeraddr = NULL; |
||||
- result = dns_resolver_createfetch2(client->view->resolver, |
||||
+ result = dns_resolver_createfetch3(client->view->resolver, |
||||
qname, qtype, qdomain, nameservers, |
||||
NULL, peeraddr, client->message->id, |
||||
- client->query.fetchoptions, |
||||
- client->task, |
||||
- query_resume, client, |
||||
+ client->query.fetchoptions, 0, NULL, |
||||
+ client->task, query_resume, client, |
||||
rdataset, sigrdataset, |
||||
&client->query.fetch); |
||||
|
||||
diff -up bind-9.9.4/bin/named/server.c.CVE-2014-8500 bind-9.9.4/bin/named/server.c |
||||
--- bind-9.9.4/bin/named/server.c.CVE-2014-8500 2014-12-10 14:56:24.913552507 +0100 |
||||
+++ bind-9.9.4/bin/named/server.c 2014-12-10 14:56:24.961552561 +0100 |
||||
@@ -3205,6 +3205,16 @@ configure_view(dns_view_t *view, cfg_obj |
||||
cfg_obj_asuint32(obj), |
||||
max_clients_per_query); |
||||
|
||||
+ obj = NULL; |
||||
+ result = ns_config_get(maps, "max-recursion-depth", &obj); |
||||
+ INSIST(result == ISC_R_SUCCESS); |
||||
+ dns_resolver_setmaxdepth(view->resolver, cfg_obj_asuint32(obj)); |
||||
+ |
||||
+ obj = NULL; |
||||
+ result = ns_config_get(maps, "max-recursion-queries", &obj); |
||||
+ INSIST(result == ISC_R_SUCCESS); |
||||
+ dns_resolver_setmaxqueries(view->resolver, cfg_obj_asuint32(obj)); |
||||
+ |
||||
#ifdef ALLOW_FILTER_AAAA_ON_V4 |
||||
obj = NULL; |
||||
result = ns_config_get(maps, "filter-aaaa-on-v4", &obj); |
||||
diff -up bind-9.9.4/doc/arm/Bv9ARM-book.xml.CVE-2014-8500 bind-9.9.4/doc/arm/Bv9ARM-book.xml |
||||
--- bind-9.9.4/doc/arm/Bv9ARM-book.xml.CVE-2014-8500 2014-12-10 14:56:24.957552556 +0100 |
||||
+++ bind-9.9.4/doc/arm/Bv9ARM-book.xml 2014-12-10 15:00:53.108931629 +0100 |
||||
@@ -4874,6 +4874,8 @@ badresp:1,adberr:0,findfail:0,valfail:0] |
||||
<optional> max-acache-size <replaceable>size_spec</replaceable> ; </optional> |
||||
<optional> clients-per-query <replaceable>number</replaceable> ; </optional> |
||||
<optional> max-clients-per-query <replaceable>number</replaceable> ; </optional> |
||||
+ <optional> max-recursion-depth <replaceable>number</replaceable> ; </optional> |
||||
+ <optional> max-recursion-queries <replaceable>number</replaceable> ; </optional> |
||||
<optional> masterfile-format (<constant>text</constant>|<constant>raw</constant>) ; </optional> |
||||
<optional> empty-server <replaceable>name</replaceable> ; </optional> |
||||
<optional> empty-contact <replaceable>name</replaceable> ; </optional> |
||||
@@ -8623,6 +8625,35 @@ avoid-v6-udp-ports { 40000; range 50000 |
||||
</para> |
||||
</listitem> |
||||
</varlistentry> |
||||
+ |
||||
+ <varlistentry id="max-recursion-depth"> |
||||
+ <term><command>max-recursion-depth</command></term> |
||||
+ <listitem> |
||||
+ <para> |
||||
+ Sets the maximum number of levels of recursion |
||||
+ that are permitted at any one time while servicing |
||||
+ a recursive query. Resolving a name may require |
||||
+ looking up a name server address, which in turn |
||||
+ requires resolving another name, etc; if the number |
||||
+ of indirections exceeds this value, the recursive |
||||
+ query is terminated and returns SERVFAIL. The |
||||
+ default is 7. |
||||
+ </para> |
||||
+ </listitem> |
||||
+ </varlistentry> |
||||
+ |
||||
+ <varlistentry id="max-recursion-queries"> |
||||
+ <term><command>max-recursion-queries</command></term> |
||||
+ <listitem> |
||||
+ <para> |
||||
+ Sets the maximum number of iterative queries that |
||||
+ may be sent while servicing a recursive query. |
||||
+ If more queries are sent, the recursive query |
||||
+ is terminated and returns SERVFAIL. The default |
||||
+ is 50. |
||||
+ </para> |
||||
+ </listitem> |
||||
+ </varlistentry> |
||||
|
||||
<varlistentry> |
||||
<term><command>notify-delay</command></term> |
||||
diff -up bind-9.9.4/doc/misc/options.CVE-2014-8500 bind-9.9.4/doc/misc/options |
||||
--- bind-9.9.4/doc/misc/options.CVE-2014-8500 2013-09-05 07:09:08.000000000 +0200 |
||||
+++ bind-9.9.4/doc/misc/options 2014-12-10 14:56:24.964552564 +0100 |
||||
@@ -162,6 +162,8 @@ options { |
||||
max-ixfr-log-size <size>; // obsolete |
||||
max-journal-size <size_no_default>; |
||||
max-ncache-ttl <integer>; |
||||
+ max-recursion-depth <integer>; |
||||
+ max-recursion-queries <integer>; |
||||
max-refresh-time <integer>; |
||||
max-retry-time <integer>; |
||||
max-rsa-exponent-size <integer>; |
||||
@@ -385,6 +387,8 @@ view <string> <optional_class> { |
||||
max-ixfr-log-size <size>; // obsolete |
||||
max-journal-size <size_no_default>; |
||||
max-ncache-ttl <integer>; |
||||
+ max-recursion-depth <integer>; |
||||
+ max-recursion-queries <integer>; |
||||
max-refresh-time <integer>; |
||||
max-retry-time <integer>; |
||||
max-transfer-idle-in <integer>; |
||||
diff -up bind-9.9.4/lib/dns/adb.c.CVE-2014-8500 bind-9.9.4/lib/dns/adb.c |
||||
--- bind-9.9.4/lib/dns/adb.c.CVE-2014-8500 2013-09-05 07:09:08.000000000 +0200 |
||||
+++ bind-9.9.4/lib/dns/adb.c 2014-12-10 14:56:24.965552566 +0100 |
||||
@@ -201,6 +201,7 @@ struct dns_adbfetch { |
||||
unsigned int magic; |
||||
dns_fetch_t *fetch; |
||||
dns_rdataset_t rdataset; |
||||
+ unsigned int depth; |
||||
}; |
||||
|
||||
/*% |
||||
@@ -300,8 +301,7 @@ static inline isc_boolean_t dec_entry_re |
||||
static inline void violate_locking_hierarchy(isc_mutex_t *, isc_mutex_t *); |
||||
static isc_boolean_t clean_namehooks(dns_adb_t *, dns_adbnamehooklist_t *); |
||||
static void clean_target(dns_adb_t *, dns_name_t *); |
||||
-static void clean_finds_at_name(dns_adbname_t *, isc_eventtype_t, |
||||
- unsigned int); |
||||
+static void clean_finds_at_name(dns_adbname_t *, isc_eventtype_t, unsigned int); |
||||
static isc_boolean_t check_expire_namehooks(dns_adbname_t *, isc_stdtime_t); |
||||
static isc_boolean_t check_expire_entry(dns_adb_t *, dns_adbentry_t **, |
||||
isc_stdtime_t); |
||||
@@ -309,6 +309,7 @@ static void cancel_fetches_at_name(dns_a |
||||
static isc_result_t dbfind_name(dns_adbname_t *, isc_stdtime_t, |
||||
dns_rdatatype_t); |
||||
static isc_result_t fetch_name(dns_adbname_t *, isc_boolean_t, |
||||
+ unsigned int, isc_counter_t *qc, |
||||
dns_rdatatype_t); |
||||
static inline void check_exit(dns_adb_t *); |
||||
static void destroy(dns_adb_t *); |
||||
@@ -2770,6 +2771,19 @@ dns_adb_createfind(dns_adb_t *adb, isc_t |
||||
isc_stdtime_t now, dns_name_t *target, |
||||
in_port_t port, dns_adbfind_t **findp) |
||||
{ |
||||
+ return (dns_adb_createfind2(adb, task, action, arg, name, |
||||
+ qname, qtype, options, now, |
||||
+ target, port, 0, NULL, findp)); |
||||
+} |
||||
+ |
||||
+isc_result_t |
||||
+dns_adb_createfind2(dns_adb_t *adb, isc_task_t *task, isc_taskaction_t action, |
||||
+ void *arg, dns_name_t *name, dns_name_t *qname, |
||||
+ dns_rdatatype_t qtype, unsigned int options, |
||||
+ isc_stdtime_t now, dns_name_t *target, |
||||
+ in_port_t port, unsigned int depth, isc_counter_t *qc, |
||||
+ dns_adbfind_t **findp) |
||||
+{ |
||||
dns_adbfind_t *find; |
||||
dns_adbname_t *adbname; |
||||
int bucket; |
||||
@@ -3000,7 +3014,7 @@ dns_adb_createfind(dns_adb_t *adb, isc_t |
||||
* Start V4. |
||||
*/ |
||||
if (WANT_INET(wanted_fetches) && |
||||
- fetch_name(adbname, start_at_zone, |
||||
+ fetch_name(adbname, start_at_zone, depth, qc, |
||||
dns_rdatatype_a) == ISC_R_SUCCESS) { |
||||
DP(DEF_LEVEL, |
||||
"dns_adb_createfind: started A fetch for name %p", |
||||
@@ -3011,7 +3025,7 @@ dns_adb_createfind(dns_adb_t *adb, isc_t |
||||
* Start V6. |
||||
*/ |
||||
if (WANT_INET6(wanted_fetches) && |
||||
- fetch_name(adbname, start_at_zone, |
||||
+ fetch_name(adbname, start_at_zone, depth, qc, |
||||
dns_rdatatype_aaaa) == ISC_R_SUCCESS) { |
||||
DP(DEF_LEVEL, |
||||
"dns_adb_createfind: " |
||||
@@ -3754,6 +3768,12 @@ fetch_callback(isc_task_t *task, isc_eve |
||||
DP(DEF_LEVEL, "adb: fetch of '%s' %s failed: %s", |
||||
buf, address_type == DNS_ADBFIND_INET ? "A" : "AAAA", |
||||
dns_result_totext(dev->result)); |
||||
+ /* |
||||
+ * Don't record a failure unless this is the initial |
||||
+ * fetch of a chain. |
||||
+ */ |
||||
+ if (fetch->depth > 1) |
||||
+ goto out; |
||||
/* XXXMLG Don't pound on bad servers. */ |
||||
if (address_type == DNS_ADBFIND_INET) { |
||||
name->expire_v4 = ISC_MIN(name->expire_v4, now + 300); |
||||
@@ -3791,9 +3811,8 @@ fetch_callback(isc_task_t *task, isc_eve |
||||
} |
||||
|
||||
static isc_result_t |
||||
-fetch_name(dns_adbname_t *adbname, |
||||
- isc_boolean_t start_at_zone, |
||||
- dns_rdatatype_t type) |
||||
+fetch_name(dns_adbname_t *adbname, isc_boolean_t start_at_zone, |
||||
+ unsigned int depth, isc_counter_t *qc, dns_rdatatype_t type) |
||||
{ |
||||
isc_result_t result; |
||||
dns_adbfetch_t *fetch = NULL; |
||||
@@ -3838,12 +3857,14 @@ fetch_name(dns_adbname_t *adbname, |
||||
result = ISC_R_NOMEMORY; |
||||
goto cleanup; |
||||
} |
||||
+ fetch->depth = depth; |
||||
|
||||
- result = dns_resolver_createfetch(adb->view->resolver, &adbname->name, |
||||
- type, name, nameservers, NULL, |
||||
- options, adb->task, fetch_callback, |
||||
- adbname, &fetch->rdataset, NULL, |
||||
- &fetch->fetch); |
||||
+ result = dns_resolver_createfetch3(adb->view->resolver, &adbname->name, |
||||
+ type, name, nameservers, NULL, |
||||
+ NULL, 0, options, depth, qc, |
||||
+ adb->task, fetch_callback, adbname, |
||||
+ &fetch->rdataset, NULL, |
||||
+ &fetch->fetch); |
||||
if (result != ISC_R_SUCCESS) |
||||
goto cleanup; |
||||
|
||||
diff -up bind-9.9.4/lib/dns/include/dns/adb.h.CVE-2014-8500 bind-9.9.4/lib/dns/include/dns/adb.h |
||||
--- bind-9.9.4/lib/dns/include/dns/adb.h.CVE-2014-8500 2013-09-05 07:09:08.000000000 +0200 |
||||
+++ bind-9.9.4/lib/dns/include/dns/adb.h 2014-12-10 14:56:24.965552566 +0100 |
||||
@@ -334,6 +334,13 @@ dns_adb_createfind(dns_adb_t *adb, isc_t |
||||
dns_rdatatype_t qtype, unsigned int options, |
||||
isc_stdtime_t now, dns_name_t *target, |
||||
in_port_t port, dns_adbfind_t **find); |
||||
+isc_result_t |
||||
+dns_adb_createfind2(dns_adb_t *adb, isc_task_t *task, isc_taskaction_t action, |
||||
+ void *arg, dns_name_t *name, dns_name_t *qname, |
||||
+ dns_rdatatype_t qtype, unsigned int options, |
||||
+ isc_stdtime_t now, dns_name_t *target, in_port_t port, |
||||
+ unsigned int depth, isc_counter_t *qc, |
||||
+ dns_adbfind_t **find); |
||||
/*%< |
||||
* Main interface for clients. The adb will look up the name given in |
||||
* "name" and will build up a list of found addresses, and perhaps start |
||||
diff -up bind-9.9.4/lib/dns/include/dns/resolver.h.CVE-2014-8500 bind-9.9.4/lib/dns/include/dns/resolver.h |
||||
--- bind-9.9.4/lib/dns/include/dns/resolver.h.CVE-2014-8500 2013-09-05 07:09:08.000000000 +0200 |
||||
+++ bind-9.9.4/lib/dns/include/dns/resolver.h 2014-12-10 14:56:24.965552566 +0100 |
||||
@@ -274,6 +274,18 @@ dns_resolver_createfetch2(dns_resolver_t |
||||
dns_rdataset_t *rdataset, |
||||
dns_rdataset_t *sigrdataset, |
||||
dns_fetch_t **fetchp); |
||||
+isc_result_t |
||||
+dns_resolver_createfetch3(dns_resolver_t *res, dns_name_t *name, |
||||
+ dns_rdatatype_t type, |
||||
+ dns_name_t *domain, dns_rdataset_t *nameservers, |
||||
+ dns_forwarders_t *forwarders, |
||||
+ isc_sockaddr_t *client, isc_uint16_t id, |
||||
+ unsigned int options, unsigned int depth, |
||||
+ isc_counter_t *qc, isc_task_t *task, |
||||
+ isc_taskaction_t action, void *arg, |
||||
+ dns_rdataset_t *rdataset, |
||||
+ dns_rdataset_t *sigrdataset, |
||||
+ dns_fetch_t **fetchp); |
||||
/*%< |
||||
* Recurse to answer a question. |
||||
* |
||||
@@ -573,6 +585,30 @@ dns_resolver_printbadcache(dns_resolver_ |
||||
* |
||||
* Requires: |
||||
* \li resolver to be valid. |
||||
+ */ |
||||
+ |
||||
+void |
||||
+dns_resolver_setmaxdepth(dns_resolver_t *resolver, unsigned int maxdepth); |
||||
+unsigned int |
||||
+dns_resolver_getmaxdepth(dns_resolver_t *resolver); |
||||
+/*% |
||||
+ * Get and set how many NS indirections will be followed when looking for |
||||
+ * nameserver addresses. |
||||
+ * |
||||
+ * Requires: |
||||
+ * \li resolver to be valid. |
||||
+ */ |
||||
+ |
||||
+void |
||||
+dns_resolver_setmaxqueries(dns_resolver_t *resolver, unsigned int queries); |
||||
+unsigned int |
||||
+dns_resolver_getmaxqueries(dns_resolver_t *resolver); |
||||
+/*% |
||||
+ * Get and set how many iterative queries will be allowed before |
||||
+ * terminating a recursive query. |
||||
+ * |
||||
+ * Requires: |
||||
+ * \li resolver to be valid. |
||||
*/ |
||||
|
||||
ISC_LANG_ENDDECLS |
||||
diff -up bind-9.9.4/lib/dns/resolver.c.CVE-2014-8500 bind-9.9.4/lib/dns/resolver.c |
||||
--- bind-9.9.4/lib/dns/resolver.c.CVE-2014-8500 2014-12-10 14:56:24.952552551 +0100 |
||||
+++ bind-9.9.4/lib/dns/resolver.c 2014-12-10 15:01:56.855970646 +0100 |
||||
@@ -21,6 +21,7 @@ |
||||
|
||||
#include <config.h> |
||||
|
||||
+#include <isc/counter.h> |
||||
#include <isc/log.h> |
||||
#include <isc/platform.h> |
||||
#include <isc/print.h> |
||||
@@ -130,6 +131,16 @@ |
||||
#define MAXIMUM_QUERY_TIMEOUT 30 /* The maximum time in seconds for the whole query to live. */ |
||||
#endif |
||||
|
||||
+/* The default maximum number of recursions to follow before giving up. */ |
||||
+#ifndef DEFAULT_RECURSION_DEPTH |
||||
+#define DEFAULT_RECURSION_DEPTH 7 |
||||
+#endif |
||||
+ |
||||
+/* The default maximum number of iterative queries to allow before giving up. */ |
||||
+#ifndef DEFAULT_MAX_QUERIES |
||||
+#define DEFAULT_MAX_QUERIES 50 |
||||
+#endif |
||||
+ |
||||
/*% |
||||
* Maximum EDNS0 input packet size. |
||||
*/ |
||||
@@ -233,12 +244,13 @@ struct fetchctx { |
||||
isc_sockaddrlist_t edns; |
||||
isc_sockaddrlist_t edns512; |
||||
isc_sockaddrlist_t bad_edns; |
||||
- dns_validator_t *validator; |
||||
+ dns_validator_t * validator; |
||||
ISC_LIST(dns_validator_t) validators; |
||||
dns_db_t * cache; |
||||
dns_adb_t * adb; |
||||
isc_boolean_t ns_ttl_ok; |
||||
isc_uint32_t ns_ttl; |
||||
+ isc_counter_t * qc; |
||||
|
||||
/*% |
||||
* The number of events we're waiting for. |
||||
@@ -306,6 +318,7 @@ struct fetchctx { |
||||
isc_boolean_t timeout; |
||||
dns_adbaddrinfo_t *addrinfo; |
||||
isc_sockaddr_t *client; |
||||
+ unsigned int depth; |
||||
}; |
||||
|
||||
#define FCTX_MAGIC ISC_MAGIC('F', '!', '!', '!') |
||||
@@ -418,6 +431,8 @@ struct dns_resolver { |
||||
isc_timer_t * spillattimer; |
||||
isc_boolean_t zero_no_soa_ttl; |
||||
unsigned int query_timeout; |
||||
+ unsigned int maxdepth; |
||||
+ unsigned int maxqueries; |
||||
|
||||
/* Locked by lock. */ |
||||
unsigned int references; |
||||
@@ -1533,6 +1548,7 @@ fctx_query(fetchctx_t *fctx, dns_adbaddr |
||||
if (result != ISC_R_SUCCESS) |
||||
goto cleanup_dispatch; |
||||
} |
||||
+ |
||||
fctx->querysent++; |
||||
|
||||
ISC_LIST_APPEND(fctx->queries, query, link); |
||||
@@ -2186,9 +2202,9 @@ fctx_finddone(isc_task_t *task, isc_even |
||||
*/ |
||||
INSIST(!SHUTTINGDOWN(fctx)); |
||||
fctx->attributes &= ~FCTX_ATTR_ADDRWAIT; |
||||
- if (event->ev_type == DNS_EVENT_ADBMOREADDRESSES) |
||||
+ if (event->ev_type == DNS_EVENT_ADBMOREADDRESSES) { |
||||
want_try = ISC_TRUE; |
||||
- else { |
||||
+ } else { |
||||
fctx->findfail++; |
||||
if (fctx->pending == 0) { |
||||
/* |
||||
@@ -2471,12 +2487,13 @@ findname(fetchctx_t *fctx, dns_name_t *n |
||||
* See what we know about this address. |
||||
*/ |
||||
find = NULL; |
||||
- result = dns_adb_createfind(fctx->adb, |
||||
- res->buckets[fctx->bucketnum].task, |
||||
- fctx_finddone, fctx, name, |
||||
- &fctx->name, fctx->type, |
||||
- options, now, NULL, |
||||
- res->view->dstport, &find); |
||||
+ result = dns_adb_createfind2(fctx->adb, |
||||
+ res->buckets[fctx->bucketnum].task, |
||||
+ fctx_finddone, fctx, name, |
||||
+ &fctx->name, fctx->type, |
||||
+ options, now, NULL, |
||||
+ res->view->dstport, |
||||
+ fctx->depth + 1, fctx->qc, &find); |
||||
if (result != ISC_R_SUCCESS) { |
||||
if (result == DNS_R_ALIAS) { |
||||
/* |
||||
@@ -2584,6 +2601,14 @@ fctx_getaddresses(fetchctx_t *fctx, isc_ |
||||
|
||||
res = fctx->res; |
||||
|
||||
+ if (fctx->depth > res->maxdepth) { |
||||
+ isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER, |
||||
+ DNS_LOGMODULE_RESOLVER, ISC_LOG_DEBUG(3), |
||||
+ "too much NS indirection resolving '%s'", |
||||
+ fctx->info); |
||||
+ return (DNS_R_SERVFAIL); |
||||
+ } |
||||
+ |
||||
/* |
||||
* Forwarders. |
||||
*/ |
||||
@@ -3059,6 +3084,16 @@ fctx_try(fetchctx_t *fctx, isc_boolean_t |
||||
} |
||||
} |
||||
|
||||
+ result = isc_counter_increment(fctx->qc); |
||||
+ if (result != ISC_R_SUCCESS) { |
||||
+ isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER, |
||||
+ DNS_LOGMODULE_RESOLVER, ISC_LOG_DEBUG(3), |
||||
+ "exceeded max queries resolving '%s'", |
||||
+ fctx->info); |
||||
+ fctx_done(fctx, DNS_R_SERVFAIL, __LINE__); |
||||
+ return; |
||||
+ } |
||||
+ |
||||
result = fctx_query(fctx, addrinfo, fctx->options); |
||||
if (result != ISC_R_SUCCESS) |
||||
fctx_done(fctx, result, __LINE__); |
||||
@@ -3157,6 +3192,7 @@ fctx_destroy(fetchctx_t *fctx) { |
||||
isc_mem_put(fctx->mctx, sa, sizeof(*sa)); |
||||
} |
||||
|
||||
+ isc_counter_detach(&fctx->qc); |
||||
isc_timer_detach(&fctx->timer); |
||||
dns_message_destroy(&fctx->rmessage); |
||||
dns_message_destroy(&fctx->qmessage); |
||||
@@ -3485,7 +3521,8 @@ log_ns_ttl(fetchctx_t *fctx, const char |
||||
static isc_result_t |
||||
fctx_create(dns_resolver_t *res, dns_name_t *name, dns_rdatatype_t type, |
||||
dns_name_t *domain, dns_rdataset_t *nameservers, |
||||
- unsigned int options, unsigned int bucketnum, fetchctx_t **fctxp) |
||||
+ unsigned int options, unsigned int bucketnum, unsigned int depth, |
||||
+ isc_counter_t *qc, fetchctx_t **fctxp) |
||||
{ |
||||
fetchctx_t *fctx; |
||||
isc_result_t result; |
||||
@@ -3507,6 +3544,21 @@ fctx_create(dns_resolver_t *res, dns_nam |
||||
fctx = isc_mem_get(mctx, sizeof(*fctx)); |
||||
if (fctx == NULL) |
||||
return (ISC_R_NOMEMORY); |
||||
+ |
||||
+ fctx->qc = NULL; |
||||
+ if (qc != NULL) { |
||||
+ isc_counter_attach(qc, &fctx->qc); |
||||
+ } else { |
||||
+ result = isc_counter_create(res->mctx, |
||||
+ res->maxqueries, &fctx->qc); |
||||
+ if (result != ISC_R_SUCCESS) |
||||
+ goto cleanup_fetch; |
||||
+ } |
||||
+ |
||||
+ /* |
||||
+ * Make fctx->info point to a copy of a formatted string |
||||
+ * "name/type". |
||||
+ */ |
||||
dns_name_format(name, buf, sizeof(buf)); |
||||
dns_rdatatype_format(type, typebuf, sizeof(typebuf)); |
||||
strcat(buf, "/"); /* checked */ |
||||
@@ -3514,7 +3566,7 @@ fctx_create(dns_resolver_t *res, dns_nam |
||||
fctx->info = isc_mem_strdup(mctx, buf); |
||||
if (fctx->info == NULL) { |
||||
result = ISC_R_NOMEMORY; |
||||
- goto cleanup_fetch; |
||||
+ goto cleanup_counter; |
||||
} |
||||
FCTXTRACE("create"); |
||||
dns_name_init(&fctx->name, NULL); |
||||
@@ -3537,6 +3589,7 @@ fctx_create(dns_resolver_t *res, dns_nam |
||||
fctx->state = fetchstate_init; |
||||
fctx->want_shutdown = ISC_FALSE; |
||||
fctx->cloned = ISC_FALSE; |
||||
+ fctx->depth = depth; |
||||
ISC_LIST_INIT(fctx->queries); |
||||
ISC_LIST_INIT(fctx->finds); |
||||
ISC_LIST_INIT(fctx->altfinds); |
||||
@@ -3742,6 +3795,9 @@ fctx_create(dns_resolver_t *res, dns_nam |
||||
cleanup_info: |
||||
isc_mem_free(mctx, fctx->info); |
||||
|
||||
+ cleanup_counter: |
||||
+ isc_counter_detach(&fctx->qc); |
||||
+ |
||||
cleanup_fetch: |
||||
isc_mem_put(mctx, fctx, sizeof(*fctx)); |
||||
|
||||
@@ -5655,7 +5711,7 @@ noanswer_response(fetchctx_t *fctx, dns_ |
||||
char qbuf[DNS_NAME_FORMATSIZE]; |
||||
char nbuf[DNS_NAME_FORMATSIZE]; |
||||
char tbuf[DNS_RDATATYPE_FORMATSIZE]; |
||||
- dns_rdatatype_format(fctx->type, tbuf, |
||||
+ dns_rdatatype_format(type, tbuf, |
||||
sizeof(tbuf)); |
||||
dns_name_format(name, nbuf, |
||||
sizeof(nbuf)); |
||||
@@ -5664,7 +5720,7 @@ noanswer_response(fetchctx_t *fctx, dns_ |
||||
log_formerr(fctx, |
||||
"unrelated %s %s in " |
||||
"%s authority section", |
||||
- tbuf, qbuf, nbuf); |
||||
+ tbuf, nbuf, qbuf); |
||||
return (DNS_R_FORMERR); |
||||
} |
||||
if (type == dns_rdatatype_ns) { |
||||
@@ -7725,6 +7781,8 @@ dns_resolver_create(dns_view_t *view, |
||||
res->spillattimer = NULL; |
||||
res->zero_no_soa_ttl = ISC_FALSE; |
||||
res->query_timeout = DEFAULT_QUERY_TIMEOUT; |
||||
+ res->maxdepth = DEFAULT_RECURSION_DEPTH; |
||||
+ res->maxqueries = DEFAULT_MAX_QUERIES; |
||||
res->nbuckets = ntasks; |
||||
res->activebuckets = ntasks; |
||||
res->buckets = isc_mem_get(view->mctx, |
||||
@@ -8163,9 +8221,9 @@ dns_resolver_createfetch(dns_resolver_t |
||||
dns_rdataset_t *sigrdataset, |
||||
dns_fetch_t **fetchp) |
||||
{ |
||||
- return (dns_resolver_createfetch2(res, name, type, domain, |
||||
+ return (dns_resolver_createfetch3(res, name, type, domain, |
||||
nameservers, forwarders, NULL, 0, |
||||
- options, task, action, arg, |
||||
+ options, 0, NULL, task, action, arg, |
||||
rdataset, sigrdataset, fetchp)); |
||||
} |
||||
|
||||
@@ -8181,6 +8239,25 @@ dns_resolver_createfetch2(dns_resolver_t |
||||
dns_rdataset_t *sigrdataset, |
||||
dns_fetch_t **fetchp) |
||||
{ |
||||
+ return (dns_resolver_createfetch3(res, name, type, domain, |
||||
+ nameservers, forwarders, client, id, |
||||
+ options, 0, NULL, task, action, arg, |
||||
+ rdataset, sigrdataset, fetchp)); |
||||
+} |
||||
+ |
||||
+isc_result_t |
||||
+dns_resolver_createfetch3(dns_resolver_t *res, dns_name_t *name, |
||||
+ dns_rdatatype_t type, |
||||
+ dns_name_t *domain, dns_rdataset_t *nameservers, |
||||
+ dns_forwarders_t *forwarders, |
||||
+ isc_sockaddr_t *client, dns_messageid_t id, |
||||
+ unsigned int options, unsigned int depth, |
||||
+ isc_counter_t *qc, isc_task_t *task, |
||||
+ isc_taskaction_t action, void *arg, |
||||
+ dns_rdataset_t *rdataset, |
||||
+ dns_rdataset_t *sigrdataset, |
||||
+ dns_fetch_t **fetchp) |
||||
+{ |
||||
dns_fetch_t *fetch; |
||||
fetchctx_t *fctx = NULL; |
||||
isc_result_t result = ISC_R_SUCCESS; |
||||
@@ -8269,11 +8346,12 @@ dns_resolver_createfetch2(dns_resolver_t |
||||
|
||||
if (fctx == NULL) { |
||||
result = fctx_create(res, name, type, domain, nameservers, |
||||
- options, bucketnum, &fctx); |
||||
+ options, bucketnum, depth, qc, &fctx); |
||||
if (result != ISC_R_SUCCESS) |
||||
goto unlock; |
||||
new_fctx = ISC_TRUE; |
||||
- } |
||||
+ } else if (fctx->depth > depth) |
||||
+ fctx->depth = depth; |
||||
|
||||
result = fctx_join(fctx, task, client, id, action, arg, |
||||
rdataset, sigrdataset, fetch); |
||||
@@ -9045,3 +9123,27 @@ dns_resolver_settimeout(dns_resolver_t * |
||||
|
||||
resolver->query_timeout = seconds; |
||||
} |
||||
+ |
||||
+void |
||||
+dns_resolver_setmaxdepth(dns_resolver_t *resolver, unsigned int maxdepth) { |
||||
+ REQUIRE(VALID_RESOLVER(resolver)); |
||||
+ resolver->maxdepth = maxdepth; |
||||
+} |
||||
+ |
||||
+unsigned int |
||||
+dns_resolver_getmaxdepth(dns_resolver_t *resolver) { |
||||
+ REQUIRE(VALID_RESOLVER(resolver)); |
||||
+ return (resolver->maxdepth); |
||||
+} |
||||
+ |
||||
+void |
||||
+dns_resolver_setmaxqueries(dns_resolver_t *resolver, unsigned int queries) { |
||||
+ REQUIRE(VALID_RESOLVER(resolver)); |
||||
+ resolver->maxqueries = queries; |
||||
+} |
||||
+ |
||||
+unsigned int |
||||
+dns_resolver_getmaxqueries(dns_resolver_t *resolver) { |
||||
+ REQUIRE(VALID_RESOLVER(resolver)); |
||||
+ return (resolver->maxqueries); |
||||
+} |
||||
diff -up bind-9.9.4/lib/export/isc/Makefile.in.CVE-2014-8500 bind-9.9.4/lib/export/isc/Makefile.in |
||||
--- bind-9.9.4/lib/export/isc/Makefile.in.CVE-2014-8500 2014-12-10 14:56:24.907552500 +0100 |
||||
+++ bind-9.9.4/lib/export/isc/Makefile.in 2014-12-10 14:56:24.967552568 +0100 |
||||
@@ -63,7 +63,7 @@ WIN32OBJS = win32/condition.@O@ win32/d |
||||
# Alphabetically |
||||
OBJS = @ISC_EXTRA_OBJS@ \ |
||||
assertions.@O@ backtrace.@O@ backtrace-emptytbl.@O@ base32.@O@ \ |
||||
- base64.@O@ buffer.@O@ bufferlist.@O@ \ |
||||
+ base64.@O@ buffer.@O@ bufferlist.@O@ counter.@O@ \ |
||||
error.@O@ event.@O@ \ |
||||
hash.@O@ hex.@O@ hmacmd5.@O@ hmacsha.@O@ \ |
||||
inet_aton.@O@ iterated_hash.@O@ lex.@O@ lfsr.@O@ log.@O@ \ |
||||
@@ -85,7 +85,7 @@ ISCDRIVERSRCS = mem.c task.c lib.c timer |
||||
|
||||
SRCS = @ISC_EXTRA_SRCS@ \ |
||||
assertions.c backtrace.c backtrace-emptytbl.c base32.c \ |
||||
- base64.c buffer.c bufferlist.c \ |
||||
+ base64.c buffer.c bufferlist.c counter.c \ |
||||
error.c event.c \ |
||||
hash.c hex.c hmacmd5.c hmacsha.c \ |
||||
inet_aton.c iterated_hash.c lex.c log.c lfsr.c \ |
||||
diff -up bind-9.9.4/lib/isccfg/namedconf.c.CVE-2014-8500 bind-9.9.4/lib/isccfg/namedconf.c |
||||
--- bind-9.9.4/lib/isccfg/namedconf.c.CVE-2014-8500 2014-12-10 14:56:24.969552570 +0100 |
||||
+++ bind-9.9.4/lib/isccfg/namedconf.c 2014-12-10 15:04:14.636091707 +0100 |
||||
@@ -1421,6 +1421,8 @@ view_clauses[] = { |
||||
{ "max-cache-ttl", &cfg_type_uint32, 0 }, |
||||
{ "max-clients-per-query", &cfg_type_uint32, 0 }, |
||||
{ "max-ncache-ttl", &cfg_type_uint32, 0 }, |
||||
+ { "max-recursion-depth", &cfg_type_uint32, 0 }, |
||||
+ { "max-recursion-queries", &cfg_type_uint32, 0 }, |
||||
{ "max-udp-size", &cfg_type_uint32, 0 }, |
||||
{ "min-roots", &cfg_type_uint32, CFG_CLAUSEFLAG_NOTIMP }, |
||||
{ "minimal-responses", &cfg_type_boolean, 0 }, |
||||
diff -up bind-9.9.4/lib/isc/counter.c.CVE-2014-8500 bind-9.9.4/lib/isc/counter.c |
||||
--- bind-9.9.4/lib/isc/counter.c.CVE-2014-8500 2014-12-10 14:56:24.968552569 +0100 |
||||
+++ bind-9.9.4/lib/isc/counter.c 2014-12-10 14:56:24.968552569 +0100 |
||||
@@ -0,0 +1,138 @@ |
||||
+/* |
||||
+ * Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC") |
||||
+ * |
||||
+ * Permission to use, copy, modify, and/or distribute this software for any |
||||
+ * purpose with or without fee is hereby granted, provided that the above |
||||
+ * copyright notice and this permission notice appear in all copies. |
||||
+ * |
||||
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH |
||||
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY |
||||
+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, |
||||
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM |
||||
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE |
||||
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR |
||||
+ * PERFORMANCE OF THIS SOFTWARE. |
||||
+ */ |
||||
+ |
||||
+/*! \file */ |
||||
+ |
||||
+#include <config.h> |
||||
+ |
||||
+#include <stddef.h> |
||||
+ |
||||
+#include <isc/counter.h> |
||||
+#include <isc/magic.h> |
||||
+#include <isc/mem.h> |
||||
+#include <isc/util.h> |
||||
+ |
||||
+#define COUNTER_MAGIC ISC_MAGIC('C', 'n', 't', 'r') |
||||
+#define VALID_COUNTER(r) ISC_MAGIC_VALID(r, COUNTER_MAGIC) |
||||
+ |
||||
+struct isc_counter { |
||||
+ unsigned int magic; |
||||
+ isc_mem_t *mctx; |
||||
+ isc_mutex_t lock; |
||||
+ unsigned int references; |
||||
+ unsigned int limit; |
||||
+ unsigned int used; |
||||
+}; |
||||
+ |
||||
+isc_result_t |
||||
+isc_counter_create(isc_mem_t *mctx, int limit, isc_counter_t **counterp) { |
||||
+ isc_result_t result; |
||||
+ isc_counter_t *counter; |
||||
+ |
||||
+ REQUIRE(counterp != NULL && *counterp == NULL); |
||||
+ |
||||
+ counter = isc_mem_get(mctx, sizeof(*counter)); |
||||
+ if (counter == NULL) |
||||
+ return (ISC_R_NOMEMORY); |
||||
+ |
||||
+ result = isc_mutex_init(&counter->lock); |
||||
+ if (result != ISC_R_SUCCESS) { |
||||
+ isc_mem_put(mctx, counter, sizeof(*counter)); |
||||
+ return (result); |
||||
+ } |
||||
+ |
||||
+ counter->mctx = NULL; |
||||
+ isc_mem_attach(mctx, &counter->mctx); |
||||
+ |
||||
+ counter->references = 1; |
||||
+ counter->limit = limit; |
||||
+ counter->used = 0; |
||||
+ |
||||
+ counter->magic = COUNTER_MAGIC; |
||||
+ *counterp = counter; |
||||
+ return (ISC_R_SUCCESS); |
||||
+} |
||||
+ |
||||
+isc_result_t |
||||
+isc_counter_increment(isc_counter_t *counter) { |
||||
+ isc_result_t result = ISC_R_SUCCESS; |
||||
+ |
||||
+ LOCK(&counter->lock); |
||||
+ counter->used++; |
||||
+ if (counter->limit != 0 && counter->used >= counter->limit) |
||||
+ result = ISC_R_QUOTA; |
||||
+ UNLOCK(&counter->lock); |
||||
+ |
||||
+ return (result); |
||||
+} |
||||
+ |
||||
+unsigned int |
||||
+isc_counter_used(isc_counter_t *counter) { |
||||
+ REQUIRE(VALID_COUNTER(counter)); |
||||
+ |
||||
+ return (counter->used); |
||||
+} |
||||
+ |
||||
+void |
||||
+isc_counter_setlimit(isc_counter_t *counter, int limit) { |
||||
+ REQUIRE(VALID_COUNTER(counter)); |
||||
+ |
||||
+ LOCK(&counter->lock); |
||||
+ counter->limit = limit; |
||||
+ UNLOCK(&counter->lock); |
||||
+} |
||||
+ |
||||
+void |
||||
+isc_counter_attach(isc_counter_t *source, isc_counter_t **targetp) { |
||||
+ REQUIRE(VALID_COUNTER(source)); |
||||
+ REQUIRE(targetp != NULL && *targetp == NULL); |
||||
+ |
||||
+ LOCK(&source->lock); |
||||
+ source->references++; |
||||
+ INSIST(source->references > 0); |
||||
+ UNLOCK(&source->lock); |
||||
+ |
||||
+ *targetp = source; |
||||
+} |
||||
+ |
||||
+static void |
||||
+destroy(isc_counter_t *counter) { |
||||
+ counter->magic = 0; |
||||
+ isc_mutex_destroy(&counter->lock); |
||||
+ isc_mem_putanddetach(&counter->mctx, counter, sizeof(*counter)); |
||||
+} |
||||
+ |
||||
+void |
||||
+isc_counter_detach(isc_counter_t **counterp) { |
||||
+ isc_counter_t *counter; |
||||
+ isc_boolean_t want_destroy = ISC_FALSE; |
||||
+ |
||||
+ REQUIRE(counterp != NULL && *counterp != NULL); |
||||
+ counter = *counterp; |
||||
+ REQUIRE(VALID_COUNTER(counter)); |
||||
+ |
||||
+ *counterp = NULL; |
||||
+ |
||||
+ LOCK(&counter->lock); |
||||
+ INSIST(counter->references > 0); |
||||
+ counter->references--; |
||||
+ if (counter->references == 0) |
||||
+ want_destroy = ISC_TRUE; |
||||
+ UNLOCK(&counter->lock); |
||||
+ |
||||
+ if (want_destroy) |
||||
+ destroy(counter); |
||||
+} |
||||
diff -up bind-9.9.4/lib/isc/include/isc/counter.h.CVE-2014-8500 bind-9.9.4/lib/isc/include/isc/counter.h |
||||
--- bind-9.9.4/lib/isc/include/isc/counter.h.CVE-2014-8500 2014-12-10 14:56:24.968552569 +0100 |
||||
+++ bind-9.9.4/lib/isc/include/isc/counter.h 2014-12-10 14:56:24.968552569 +0100 |
||||
@@ -0,0 +1,90 @@ |
||||
+/* |
||||
+ * Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC") |
||||
+ * |
||||
+ * Permission to use, copy, modify, and/or distribute this software for any |
||||
+ * purpose with or without fee is hereby granted, provided that the above |
||||
+ * copyright notice and this permission notice appear in all copies. |
||||
+ * |
||||
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH |
||||
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY |
||||
+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, |
||||
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM |
||||
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE |
||||
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR |
||||
+ * PERFORMANCE OF THIS SOFTWARE. |
||||
+ */ |
||||
+ |
||||
+#ifndef ISC_COUNTER_H |
||||
+#define ISC_COUNTER_H 1 |
||||
+ |
||||
+/***** |
||||
+ ***** Module Info |
||||
+ *****/ |
||||
+ |
||||
+/*! \file isc/counter.h |
||||
+ * |
||||
+ * \brief The isc_counter_t object is a simplified version of the |
||||
+ * isc_quota_t object; it tracks the consumption of limited |
||||
+ * resources, returning an error condition when the quota is |
||||
+ * exceeded. However, unlike isc_quota_t, attaching and detaching |
||||
+ * from a counter object does not increment or decrement the counter. |
||||
+ */ |
||||
+ |
||||
+/*** |
||||
+ *** Imports. |
||||
+ ***/ |
||||
+ |
||||
+#include <isc/lang.h> |
||||
+#include <isc/mutex.h> |
||||
+#include <isc/types.h> |
||||
+ |
||||
+/***** |
||||
+ ***** Types. |
||||
+ *****/ |
||||
+ |
||||
+ISC_LANG_BEGINDECLS |
||||
+ |
||||
+isc_result_t |
||||
+isc_counter_create(isc_mem_t *mctx, int limit, isc_counter_t **counterp); |
||||
+/*%< |
||||
+ * Allocate and initialize a counter object. |
||||
+ */ |
||||
+ |
||||
+isc_result_t |
||||
+isc_counter_increment(isc_counter_t *counter); |
||||
+/*%< |
||||
+ * Increment the counter. |
||||
+ * |
||||
+ * If the counter limit is nonzero and has been reached, then |
||||
+ * return ISC_R_QUOTA, otherwise ISC_R_SUCCESS. (The counter is |
||||
+ * incremented regardless of return value.) |
||||
+ */ |
||||
+ |
||||
+unsigned int |
||||
+isc_counter_used(isc_counter_t *counter); |
||||
+/*%< |
||||
+ * Return the current counter value. |
||||
+ */ |
||||
+ |
||||
+void |
||||
+isc_counter_setlimit(isc_counter_t *counter, int limit); |
||||
+/*%< |
||||
+ * Set the counter limit. |
||||
+ */ |
||||
+ |
||||
+void |
||||
+isc_counter_attach(isc_counter_t *source, isc_counter_t **targetp); |
||||
+/*%< |
||||
+ * Attach to a counter object, increasing its reference counter. |
||||
+ */ |
||||
+ |
||||
+void |
||||
+isc_counter_detach(isc_counter_t **counterp); |
||||
+/*%< |
||||
+ * Detach (and destroy if reference counter has dropped to zero) |
||||
+ * a counter object. |
||||
+ */ |
||||
+ |
||||
+ISC_LANG_ENDDECLS |
||||
+ |
||||
+#endif /* ISC_COUNTER_H */ |
||||
diff -up bind-9.9.4/lib/isc/include/isc/Makefile.in.CVE-2014-8500 bind-9.9.4/lib/isc/include/isc/Makefile.in |
||||
--- bind-9.9.4/lib/isc/include/isc/Makefile.in.CVE-2014-8500 2014-12-10 15:02:34.811005903 +0100 |
||||
+++ bind-9.9.4/lib/isc/include/isc/Makefile.in 2014-12-10 15:03:01.099030322 +0100 |
||||
@@ -27,7 +27,7 @@ top_srcdir = @top_srcdir@ |
||||
# install target below. |
||||
# |
||||
HEADERS = app.h assertions.h base64.h bind9.h bitstring.h boolean.h \ |
||||
- buffer.h bufferlist.h commandline.h entropy.h error.h event.h \ |
||||
+ buffer.h bufferlist.h commandline.h counter.h entropy.h error.h event.h \ |
||||
eventclass.h file.h formatcheck.h fsaccess.h \ |
||||
hash.h heap.h hex.h hmacmd5.h hmacsha.h \ |
||||
httpd.h \ |
||||
diff -up bind-9.9.4/lib/isc/include/isc/types.h.CVE-2014-8500 bind-9.9.4/lib/isc/include/isc/types.h |
||||
--- bind-9.9.4/lib/isc/include/isc/types.h.CVE-2014-8500 2013-09-05 07:09:08.000000000 +0200 |
||||
+++ bind-9.9.4/lib/isc/include/isc/types.h 2014-12-10 14:56:24.968552569 +0100 |
||||
@@ -50,6 +50,7 @@ typedef struct isc_buffer isc_buffer_t; |
||||
typedef ISC_LIST(isc_buffer_t) isc_bufferlist_t; /*%< Buffer List */ |
||||
typedef struct isc_constregion isc_constregion_t; /*%< Const region */ |
||||
typedef struct isc_consttextregion isc_consttextregion_t; /*%< Const Text Region */ |
||||
+typedef struct isc_counter isc_counter_t; /*%< Counter */ |
||||
typedef struct isc_entropy isc_entropy_t; /*%< Entropy */ |
||||
typedef struct isc_entropysource isc_entropysource_t; /*%< Entropy Source */ |
||||
typedef struct isc_event isc_event_t; /*%< Event */ |
||||
diff -up bind-9.9.4/lib/isc/Makefile.in.CVE-2014-8500 bind-9.9.4/lib/isc/Makefile.in |
||||
--- bind-9.9.4/lib/isc/Makefile.in.CVE-2014-8500 2014-12-10 14:56:24.860552447 +0100 |
||||
+++ bind-9.9.4/lib/isc/Makefile.in 2014-12-10 14:56:24.968552569 +0100 |
||||
@@ -53,7 +53,7 @@ WIN32OBJS = win32/condition.@O@ win32/d |
||||
OBJS = @ISC_EXTRA_OBJS@ \ |
||||
assertions.@O@ backtrace.@O@ base32.@O@ base64.@O@ \ |
||||
bitstring.@O@ buffer.@O@ bufferlist.@O@ commandline.@O@ \ |
||||
- error.@O@ event.@O@ \ |
||||
+ counter.@O@ error.@O@ event.@O@ \ |
||||
hash.@O@ heap.@O@ hex.@O@ hmacmd5.@O@ hmacsha.@O@ \ |
||||
httpd.@O@ inet_aton.@O@ iterated_hash.@O@ \ |
||||
lex.@O@ lfsr.@O@ lib.@O@ log.@O@ \ |
||||
@@ -70,8 +70,8 @@ SYMTBLOBJS = backtrace-emptytbl.@O@ |
||||
# Alphabetically |
||||
SRCS = @ISC_EXTRA_SRCS@ \ |
||||
assertions.c backtrace.c base32.c base64.c bitstring.c \ |
||||
- buffer.c bufferlist.c commandline.c error.c event.c \ |
||||
- heap.c hex.c hmacmd5.c hmacsha.c \ |
||||
+ buffer.c bufferlist.c commandline.c counter.c \ |
||||
+ error.c event.c heap.c hex.c hmacmd5.c hmacsha.c \ |
||||
httpd.c inet_aton.c iterated_hash.c \ |
||||
lex.c lfsr.c lib.c log.c \ |
||||
md5.c mem.c mutexblock.c \ |
@ -0,0 +1,25 @@
@@ -0,0 +1,25 @@
|
||||
diff -up bind-9.9.4/lib/dns/zone.c.CVE-2015-1349 bind-9.9.4/lib/dns/zone.c |
||||
--- bind-9.9.4/lib/dns/zone.c.CVE-2015-1349 2015-03-02 11:18:36.138872044 +0100 |
||||
+++ bind-9.9.4/lib/dns/zone.c 2015-03-02 11:20:15.941032102 +0100 |
||||
@@ -8456,6 +8456,12 @@ keyfetch_done(isc_task_t *task, isc_even |
||||
namebuf, tag); |
||||
trustkey = ISC_TRUE; |
||||
} |
||||
+ } else { |
||||
+ /* |
||||
+ * No previously known key, and the key is not |
||||
+ * secure, so skip it. |
||||
+ */ |
||||
+ continue; |
||||
} |
||||
|
||||
/* Delete old version */ |
||||
@@ -8504,7 +8510,7 @@ keyfetch_done(isc_task_t *task, isc_even |
||||
trust_key(zone, keyname, &dnskey, mctx); |
||||
} |
||||
|
||||
- if (!deletekey) |
||||
+ if (secure && !deletekey) |
||||
set_refreshkeytimer(zone, &keydata, now); |
||||
} |
||||
|
@ -0,0 +1,21 @@
@@ -0,0 +1,21 @@
|
||||
diff --git a/lib/dns/validator.c b/lib/dns/validator.c |
||||
--- a/lib/dns/validator.c |
||||
+++ b/lib/dns/validator.c |
||||
@@ -1422,7 +1422,6 @@ compute_keytag(dns_rdata_t *rdata, dns_rdata_dnskey_t *key) { |
||||
*/ |
||||
static isc_boolean_t |
||||
isselfsigned(dns_validator_t *val) { |
||||
- dns_fixedname_t fixed; |
||||
dns_rdataset_t *rdataset, *sigrdataset; |
||||
dns_rdata_t rdata = DNS_RDATA_INIT; |
||||
dns_rdata_t sigrdata = DNS_RDATA_INIT; |
||||
@@ -1478,8 +1477,7 @@ isselfsigned(dns_validator_t *val) { |
||||
result = dns_dnssec_verify3(name, rdataset, dstkey, |
||||
ISC_TRUE, |
||||
val->view->maxbits, |
||||
- mctx, &sigrdata, |
||||
- dns_fixedname_name(&fixed)); |
||||
+ mctx, &sigrdata, NULL); |
||||
dst_key_free(&dstkey); |
||||
if (result != ISC_R_SUCCESS) |
||||
continue; |
@ -0,0 +1,11 @@
@@ -0,0 +1,11 @@
|
||||
diff -up bind-9.9.4/lib/dns/tkey.c.CVE-2015-5477 bind-9.9.4/lib/dns/tkey.c |
||||
--- bind-9.9.4/lib/dns/tkey.c.CVE-2015-5477 2015-07-27 22:36:02.318505839 +0200 |
||||
+++ bind-9.9.4/lib/dns/tkey.c 2015-07-27 22:36:39.764698712 +0200 |
||||
@@ -650,6 +650,7 @@ dns_tkey_processquery(dns_message_t *msg |
||||
* Try the answer section, since that's where Win2000 |
||||
* puts it. |
||||
*/ |
||||
+ name = NULL; |
||||
if (dns_message_findname(msg, DNS_SECTION_ANSWER, qname, |
||||
dns_rdatatype_tkey, 0, &name, |
||||
&tkeyset) != ISC_R_SUCCESS) { |
@ -0,0 +1,449 @@
@@ -0,0 +1,449 @@
|
||||
diff --git a/lib/dns/hmac_link.c b/lib/dns/hmac_link.c |
||||
index 7a56c79..3ac01a8 100644 |
||||
--- a/lib/dns/hmac_link.c |
||||
+++ b/lib/dns/hmac_link.c |
||||
@@ -76,7 +76,7 @@ hmacmd5_createctx(dst_key_t *key, dst_context_t *dctx) { |
||||
hmacmd5ctx = isc_mem_get(dctx->mctx, sizeof(isc_hmacmd5_t)); |
||||
if (hmacmd5ctx == NULL) |
||||
return (ISC_R_NOMEMORY); |
||||
- isc_hmacmd5_init(hmacmd5ctx, hkey->key, ISC_SHA1_BLOCK_LENGTH); |
||||
+ isc_hmacmd5_init(hmacmd5ctx, hkey->key, ISC_MD5_BLOCK_LENGTH); |
||||
dctx->ctxdata.hmacmd5ctx = hmacmd5ctx; |
||||
return (ISC_R_SUCCESS); |
||||
} |
||||
@@ -139,7 +139,7 @@ hmacmd5_compare(const dst_key_t *key1, const dst_key_t *key2) { |
||||
else if (hkey1 == NULL || hkey2 == NULL) |
||||
return (ISC_FALSE); |
||||
|
||||
- if (isc_safe_memcmp(hkey1->key, hkey2->key, ISC_SHA1_BLOCK_LENGTH)) |
||||
+ if (isc_safe_memcmp(hkey1->key, hkey2->key, ISC_MD5_BLOCK_LENGTH)) |
||||
return (ISC_TRUE); |
||||
else |
||||
return (ISC_FALSE); |
||||
@@ -150,17 +150,17 @@ hmacmd5_generate(dst_key_t *key, int pseudorandom_ok, void (*callback)(int)) { |
||||
isc_buffer_t b; |
||||
isc_result_t ret; |
||||
unsigned int bytes; |
||||
- unsigned char data[ISC_SHA1_BLOCK_LENGTH]; |
||||
+ unsigned char data[ISC_MD5_BLOCK_LENGTH]; |
||||
|
||||
UNUSED(callback); |
||||
|
||||
bytes = (key->key_size + 7) / 8; |
||||
- if (bytes > ISC_SHA1_BLOCK_LENGTH) { |
||||
- bytes = ISC_SHA1_BLOCK_LENGTH; |
||||
- key->key_size = ISC_SHA1_BLOCK_LENGTH * 8; |
||||
+ if (bytes > ISC_MD5_BLOCK_LENGTH) { |
||||
+ bytes = ISC_MD5_BLOCK_LENGTH; |
||||
+ key->key_size = ISC_MD5_BLOCK_LENGTH * 8; |
||||
} |
||||
|
||||
- memset(data, 0, ISC_SHA1_BLOCK_LENGTH); |
||||
+ memset(data, 0, ISC_MD5_BLOCK_LENGTH); |
||||
ret = dst__entropy_getdata(data, bytes, ISC_TF(pseudorandom_ok != 0)); |
||||
|
||||
if (ret != ISC_R_SUCCESS) |
||||
@@ -169,7 +169,7 @@ hmacmd5_generate(dst_key_t *key, int pseudorandom_ok, void (*callback)(int)) { |
||||
isc_buffer_init(&b, data, bytes); |
||||
isc_buffer_add(&b, bytes); |
||||
ret = hmacmd5_fromdns(key, &b); |
||||
- memset(data, 0, ISC_SHA1_BLOCK_LENGTH); |
||||
+ memset(data, 0, ISC_MD5_BLOCK_LENGTH); |
||||
|
||||
return (ret); |
||||
} |
||||
@@ -223,7 +223,7 @@ hmacmd5_fromdns(dst_key_t *key, isc_buffer_t *data) { |
||||
|
||||
memset(hkey->key, 0, sizeof(hkey->key)); |
||||
|
||||
- if (r.length > ISC_SHA1_BLOCK_LENGTH) { |
||||
+ if (r.length > ISC_MD5_BLOCK_LENGTH) { |
||||
isc_md5_init(&md5ctx); |
||||
isc_md5_update(&md5ctx, r.base, r.length); |
||||
isc_md5_final(&md5ctx, hkey->key); |
||||
@@ -237,6 +237,8 @@ hmacmd5_fromdns(dst_key_t *key, isc_buffer_t *data) { |
||||
key->key_size = keylen * 8; |
||||
key->keydata.hmacmd5 = hkey; |
||||
|
||||
+ isc_buffer_forward(data, r.length); |
||||
+ |
||||
return (ISC_R_SUCCESS); |
||||
} |
||||
|
||||
@@ -518,6 +520,8 @@ hmacsha1_fromdns(dst_key_t *key, isc_buffer_t *data) { |
||||
key->key_size = keylen * 8; |
||||
key->keydata.hmacsha1 = hkey; |
||||
|
||||
+ isc_buffer_forward(data, r.length); |
||||
+ |
||||
return (ISC_R_SUCCESS); |
||||
} |
||||
|
||||
@@ -804,6 +808,8 @@ hmacsha224_fromdns(dst_key_t *key, isc_buffer_t *data) { |
||||
key->key_size = keylen * 8; |
||||
key->keydata.hmacsha224 = hkey; |
||||
|
||||
+ isc_buffer_forward(data, r.length); |
||||
+ |
||||
return (ISC_R_SUCCESS); |
||||
} |
||||
|
||||
@@ -1090,6 +1096,8 @@ hmacsha256_fromdns(dst_key_t *key, isc_buffer_t *data) { |
||||
key->key_size = keylen * 8; |
||||
key->keydata.hmacsha256 = hkey; |
||||
|
||||
+ isc_buffer_forward(data, r.length); |
||||
+ |
||||
return (ISC_R_SUCCESS); |
||||
} |
||||
|
||||
@@ -1376,6 +1384,8 @@ hmacsha384_fromdns(dst_key_t *key, isc_buffer_t *data) { |
||||
key->key_size = keylen * 8; |
||||
key->keydata.hmacsha384 = hkey; |
||||
|
||||
+ isc_buffer_forward(data, r.length); |
||||
+ |
||||
return (ISC_R_SUCCESS); |
||||
} |
||||
|
||||
@@ -1662,6 +1672,8 @@ hmacsha512_fromdns(dst_key_t *key, isc_buffer_t *data) { |
||||
key->key_size = keylen * 8; |
||||
key->keydata.hmacsha512 = hkey; |
||||
|
||||
+ isc_buffer_forward(data, r.length); |
||||
+ |
||||
return (ISC_R_SUCCESS); |
||||
} |
||||
|
||||
diff --git a/lib/dns/include/dst/dst.h b/lib/dns/include/dst/dst.h |
||||
index bdbd269..37853aa 100644 |
||||
--- a/lib/dns/include/dst/dst.h |
||||
+++ b/lib/dns/include/dst/dst.h |
||||
@@ -69,6 +69,7 @@ typedef struct dst_context dst_context_t; |
||||
#define DST_ALG_HMACSHA256 163 /* XXXMPA */ |
||||
#define DST_ALG_HMACSHA384 164 /* XXXMPA */ |
||||
#define DST_ALG_HMACSHA512 165 /* XXXMPA */ |
||||
+#define DST_ALG_INDIRECT 252 |
||||
#define DST_ALG_PRIVATE 254 |
||||
#define DST_ALG_EXPAND 255 |
||||
#define DST_MAX_ALGS 255 |
||||
diff --git a/lib/dns/ncache.c b/lib/dns/ncache.c |
||||
index bcb3d05..3114954 100644 |
||||
--- a/lib/dns/ncache.c |
||||
+++ b/lib/dns/ncache.c |
||||
@@ -614,13 +614,11 @@ dns_ncache_getsigrdataset(dns_rdataset_t *ncacherdataset, dns_name_t *name, |
||||
dns_name_fromregion(&tname, &remaining); |
||||
INSIST(remaining.length >= tname.length); |
||||
isc_buffer_forward(&source, tname.length); |
||||
- remaining.length -= tname.length; |
||||
- remaining.base += tname.length; |
||||
+ isc_region_consume(&remaining, tname.length); |
||||
|
||||
INSIST(remaining.length >= 2); |
||||
type = isc_buffer_getuint16(&source); |
||||
- remaining.length -= 2; |
||||
- remaining.base += 2; |
||||
+ isc_region_consume(&remaining, 2); |
||||
|
||||
if (type != dns_rdatatype_rrsig || |
||||
!dns_name_equal(&tname, name)) { |
||||
@@ -632,8 +630,7 @@ dns_ncache_getsigrdataset(dns_rdataset_t *ncacherdataset, dns_name_t *name, |
||||
INSIST(remaining.length >= 1); |
||||
trust = isc_buffer_getuint8(&source); |
||||
INSIST(trust <= dns_trust_ultimate); |
||||
- remaining.length -= 1; |
||||
- remaining.base += 1; |
||||
+ isc_region_consume(&remaining, 1); |
||||
|
||||
raw = remaining.base; |
||||
count = raw[0] * 256 + raw[1]; |
||||
diff --git a/lib/dns/openssldh_link.c b/lib/dns/openssldh_link.c |
||||
index 55752da..f0cee8d 100644 |
||||
--- a/lib/dns/openssldh_link.c |
||||
+++ b/lib/dns/openssldh_link.c |
||||
@@ -266,8 +266,10 @@ openssldh_destroy(dst_key_t *key) { |
||||
|
||||
static void |
||||
uint16_toregion(isc_uint16_t val, isc_region_t *region) { |
||||
- *region->base++ = (val & 0xff00) >> 8; |
||||
- *region->base++ = (val & 0x00ff); |
||||
+ *region->base = (val & 0xff00) >> 8; |
||||
+ isc_region_consume(region, 1); |
||||
+ *region->base = (val & 0x00ff); |
||||
+ isc_region_consume(region, 1); |
||||
} |
||||
|
||||
static isc_uint16_t |
||||
@@ -278,7 +280,8 @@ uint16_fromregion(isc_region_t *region) { |
||||
val = ((unsigned int)(cp[0])) << 8; |
||||
val |= ((unsigned int)(cp[1])); |
||||
|
||||
- region->base += 2; |
||||
+ isc_region_consume(region, 2); |
||||
+ |
||||
return (val); |
||||
} |
||||
|
||||
@@ -319,16 +322,16 @@ openssldh_todns(const dst_key_t *key, isc_buffer_t *data) { |
||||
} |
||||
else |
||||
BN_bn2bin(dh->p, r.base); |
||||
- r.base += plen; |
||||
+ isc_region_consume(&r, plen); |
||||
|
||||
uint16_toregion(glen, &r); |
||||
if (glen > 0) |
||||
BN_bn2bin(dh->g, r.base); |
||||
- r.base += glen; |
||||
+ isc_region_consume(&r, glen); |
||||
|
||||
uint16_toregion(publen, &r); |
||||
BN_bn2bin(dh->pub_key, r.base); |
||||
- r.base += publen; |
||||
+ isc_region_consume(&r, publen); |
||||
|
||||
isc_buffer_add(data, dnslen); |
||||
|
||||
@@ -369,10 +372,12 @@ openssldh_fromdns(dst_key_t *key, isc_buffer_t *data) { |
||||
return (DST_R_INVALIDPUBLICKEY); |
||||
} |
||||
if (plen == 1 || plen == 2) { |
||||
- if (plen == 1) |
||||
- special = *r.base++; |
||||
- else |
||||
+ if (plen == 1) { |
||||
+ special = *r.base; |
||||
+ isc_region_consume(&r, 1); |
||||
+ } else { |
||||
special = uint16_fromregion(&r); |
||||
+ } |
||||
switch (special) { |
||||
case 1: |
||||
dh->p = &bn768; |
||||
@@ -387,10 +392,9 @@ openssldh_fromdns(dst_key_t *key, isc_buffer_t *data) { |
||||
DH_free(dh); |
||||
return (DST_R_INVALIDPUBLICKEY); |
||||
} |
||||
- } |
||||
- else { |
||||
+ } else { |
||||
dh->p = BN_bin2bn(r.base, plen, NULL); |
||||
- r.base += plen; |
||||
+ isc_region_consume(&r, plen); |
||||
} |
||||
|
||||
/* |
||||
@@ -421,15 +425,14 @@ openssldh_fromdns(dst_key_t *key, isc_buffer_t *data) { |
||||
return (DST_R_INVALIDPUBLICKEY); |
||||
} |
||||
} |
||||
- } |
||||
- else { |
||||
+ } else { |
||||
if (glen == 0) { |
||||
DH_free(dh); |
||||
return (DST_R_INVALIDPUBLICKEY); |
||||
} |
||||
dh->g = BN_bin2bn(r.base, glen, NULL); |
||||
} |
||||
- r.base += glen; |
||||
+ isc_region_consume(&r, glen); |
||||
|
||||
if (r.length < 2) { |
||||
DH_free(dh); |
||||
@@ -441,7 +444,7 @@ openssldh_fromdns(dst_key_t *key, isc_buffer_t *data) { |
||||
return (DST_R_INVALIDPUBLICKEY); |
||||
} |
||||
dh->pub_key = BN_bin2bn(r.base, publen, NULL); |
||||
- r.base += publen; |
||||
+ isc_region_consume(&r, publen); |
||||
|
||||
key->key_size = BN_num_bits(dh->p); |
||||
|
||||
diff --git a/lib/dns/openssldsa_link.c b/lib/dns/openssldsa_link.c |
||||
index fd6e91e..8e16557 100644 |
||||
--- a/lib/dns/openssldsa_link.c |
||||
+++ b/lib/dns/openssldsa_link.c |
||||
@@ -137,6 +135,7 @@ openssldsa_sign(dst_context_t *dctx, isc_buffer_t *sig) { |
||||
DSA *dsa = key->keydata.dsa; |
||||
isc_region_t r; |
||||
DSA_SIG *dsasig; |
||||
+ unsigned int klen; |
||||
#if USE_EVP |
||||
EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx; |
||||
EVP_PKEY *pkey; |
||||
@@ -209,11 +209,17 @@ openssldsa_sign(dst_context_t *dctx, isc_buffer_t *sig) { |
||||
"DSA_do_sign", |
||||
DST_R_SIGNFAILURE)); |
||||
#endif |
||||
- *r.base++ = (key->key_size - 512)/64; |
||||
+ |
||||
+ klen = (key->key_size - 512)/64; |
||||
+ if (klen > 255) |
||||
+ return (ISC_R_FAILURE); |
||||
+ *r.base = klen; |
||||
+ isc_region_consume(&r, 1); |
||||
+ |
||||
BN_bn2bin_fixed(dsasig->r, r.base, ISC_SHA1_DIGESTLENGTH); |
||||
- r.base += ISC_SHA1_DIGESTLENGTH; |
||||
+ isc_region_consume(&r, ISC_SHA1_DIGESTLENGTH); |
||||
BN_bn2bin_fixed(dsasig->s, r.base, ISC_SHA1_DIGESTLENGTH); |
||||
- r.base += ISC_SHA1_DIGESTLENGTH; |
||||
+ isc_region_consume(&r, ISC_SHA1_DIGESTLENGTH); |
||||
DSA_SIG_free(dsasig); |
||||
isc_buffer_add(sig, ISC_SHA1_DIGESTLENGTH * 2 + 1); |
||||
|
||||
@@ -446,15 +452,16 @@ openssldsa_todns(const dst_key_t *key, isc_buffer_t *data) { |
||||
if (r.length < (unsigned int) dnslen) |
||||
return (ISC_R_NOSPACE); |
||||
|
||||
- *r.base++ = t; |
||||
+ *r.base = t; |
||||
+ isc_region_consume(&r, 1); |
||||
BN_bn2bin_fixed(dsa->q, r.base, ISC_SHA1_DIGESTLENGTH); |
||||
- r.base += ISC_SHA1_DIGESTLENGTH; |
||||
+ isc_region_consume(&r, ISC_SHA1_DIGESTLENGTH); |
||||
BN_bn2bin_fixed(dsa->p, r.base, key->key_size/8); |
||||
- r.base += p_bytes; |
||||
+ isc_region_consume(&r, p_bytes); |
||||
BN_bn2bin_fixed(dsa->g, r.base, key->key_size/8); |
||||
- r.base += p_bytes; |
||||
+ isc_region_consume(&r, p_bytes); |
||||
BN_bn2bin_fixed(dsa->pub_key, r.base, key->key_size/8); |
||||
- r.base += p_bytes; |
||||
+ isc_region_consume(&r, p_bytes); |
||||
|
||||
isc_buffer_add(data, dnslen); |
||||
|
||||
@@ -479,29 +486,30 @@ openssldsa_fromdns(dst_key_t *key, isc_buffer_t *data) { |
||||
return (ISC_R_NOMEMORY); |
||||
dsa->flags &= ~DSA_FLAG_CACHE_MONT_P; |
||||
|
||||
- t = (unsigned int) *r.base++; |
||||
+ t = (unsigned int) *r.base; |
||||
+ isc_region_consume(&r, 1); |
||||
if (t > 8) { |
||||
DSA_free(dsa); |
||||
return (DST_R_INVALIDPUBLICKEY); |
||||
} |
||||
p_bytes = 64 + 8 * t; |
||||
|
||||
- if (r.length < 1 + ISC_SHA1_DIGESTLENGTH + 3 * p_bytes) { |
||||
+ if (r.length < ISC_SHA1_DIGESTLENGTH + 3 * p_bytes) { |
||||
DSA_free(dsa); |
||||
return (DST_R_INVALIDPUBLICKEY); |
||||
} |
||||
|
||||
dsa->q = BN_bin2bn(r.base, ISC_SHA1_DIGESTLENGTH, NULL); |
||||
- r.base += ISC_SHA1_DIGESTLENGTH; |
||||
+ isc_region_consume(&r, ISC_SHA1_DIGESTLENGTH); |
||||
|
||||
dsa->p = BN_bin2bn(r.base, p_bytes, NULL); |
||||
- r.base += p_bytes; |
||||
+ isc_region_consume(&r, p_bytes); |
||||
|
||||
dsa->g = BN_bin2bn(r.base, p_bytes, NULL); |
||||
- r.base += p_bytes; |
||||
+ isc_region_consume(&r, p_bytes); |
||||
|
||||
dsa->pub_key = BN_bin2bn(r.base, p_bytes, NULL); |
||||
- r.base += p_bytes; |
||||
+ isc_region_consume(&r, p_bytes); |
||||
|
||||
key->key_size = p_bytes * 8; |
||||
|
||||
diff --git a/lib/dns/opensslecdsa_link.c b/lib/dns/opensslecdsa_link.c |
||||
index c64cc55..40c612b 100644 |
||||
--- a/lib/dns/opensslecdsa_link.c |
||||
+++ b/lib/dns/opensslecdsa_link.c |
||||
@@ -159,9 +157,9 @@ opensslecdsa_sign(dst_context_t *dctx, isc_buffer_t *sig) { |
||||
"ECDSA_do_sign", |
||||
DST_R_SIGNFAILURE)); |
||||
BN_bn2bin_fixed(ecdsasig->r, r.base, siglen / 2); |
||||
- r.base += siglen / 2; |
||||
+ isc_region_consume(&r, siglen / 2); |
||||
BN_bn2bin_fixed(ecdsasig->s, r.base, siglen / 2); |
||||
- r.base += siglen / 2; |
||||
+ isc_region_consume(&r, siglen / 2); |
||||
ECDSA_SIG_free(ecdsasig); |
||||
isc_buffer_add(sig, siglen); |
||||
ret = ISC_R_SUCCESS; |
||||
diff --git a/lib/dns/opensslrsa_link.c b/lib/dns/opensslrsa_link.c |
||||
index 1edeb8d..53c6d4b 100644 |
||||
--- a/lib/dns/opensslrsa_link.c |
||||
+++ b/lib/dns/opensslrsa_link.c |
||||
@@ -965,6 +965,7 @@ opensslrsa_fromdns(dst_key_t *key, isc_buffer_t *data) { |
||||
RSA *rsa; |
||||
isc_region_t r; |
||||
unsigned int e_bytes; |
||||
+ unsigned int length; |
||||
#if USE_EVP |
||||
EVP_PKEY *pkey; |
||||
#endif |
||||
@@ -972,6 +973,7 @@ opensslrsa_fromdns(dst_key_t *key, isc_buffer_t *data) { |
||||
isc_buffer_remainingregion(data, &r); |
||||
if (r.length == 0) |
||||
return (ISC_R_SUCCESS); |
||||
+ length = r.length; |
||||
|
||||
rsa = RSA_new(); |
||||
if (rsa == NULL) |
||||
@@ -982,17 +984,18 @@ opensslrsa_fromdns(dst_key_t *key, isc_buffer_t *data) { |
||||
RSA_free(rsa); |
||||
return (DST_R_INVALIDPUBLICKEY); |
||||
} |
||||
- e_bytes = *r.base++; |
||||
- r.length--; |
||||
+ e_bytes = *r.base; |
||||
+ isc_region_consume(&r, 1); |
||||
|
||||
if (e_bytes == 0) { |
||||
if (r.length < 2) { |
||||
RSA_free(rsa); |
||||
return (DST_R_INVALIDPUBLICKEY); |
||||
} |
||||
- e_bytes = ((*r.base++) << 8); |
||||
- e_bytes += *r.base++; |
||||
- r.length -= 2; |
||||
+ e_bytes = (*r.base) << 8; |
||||
+ isc_region_consume(&r, 1); |
||||
+ e_bytes += *r.base; |
||||
+ isc_region_consume(&r, 1); |
||||
} |
||||
|
||||
if (r.length < e_bytes) { |
||||
@@ -1000,14 +1003,13 @@ opensslrsa_fromdns(dst_key_t *key, isc_buffer_t *data) { |
||||
return (DST_R_INVALIDPUBLICKEY); |
||||
} |
||||
rsa->e = BN_bin2bn(r.base, e_bytes, NULL); |
||||
- r.base += e_bytes; |
||||
- r.length -= e_bytes; |
||||
+ isc_region_consume(&r, e_bytes); |
||||
|
||||
rsa->n = BN_bin2bn(r.base, r.length, NULL); |
||||
|
||||
key->key_size = BN_num_bits(rsa->n); |
||||
|
||||
- isc_buffer_forward(data, r.length); |
||||
+ isc_buffer_forward(data, length); |
||||
|
||||
#if USE_EVP |
||||
pkey = EVP_PKEY_new(); |
||||
diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c |
||||
index 2004b0b..c7971b1 100644 |
||||
--- a/lib/dns/resolver.c |
||||
+++ b/lib/dns/resolver.c |
||||
@@ -8959,6 +8959,12 @@ dns_resolver_algorithm_supported(dns_resolver_t *resolver, dns_name_t *name, |
||||
|
||||
REQUIRE(VALID_RESOLVER(resolver)); |
||||
|
||||
+ /* |
||||
+ * DH is unsupported for DNSKEYs, see RFC 4034 sec. A.1. |
||||
+ */ |
||||
+ if ((alg == DST_ALG_DH) || (alg == DST_ALG_INDIRECT)) |
||||
+ return (ISC_FALSE); |
||||
+ |
||||
#if USE_ALGLOCK |
||||
RWLOCK(&resolver->alglock, isc_rwlocktype_read); |
||||
#endif |
||||
|
@ -0,0 +1,179 @@
@@ -0,0 +1,179 @@
|
||||
diff --git a/lib/dns/include/dns/message.h b/lib/dns/include/dns/message.h |
||||
index a6862fa..d999e75 100644 |
||||
--- a/lib/dns/include/dns/message.h |
||||
+++ b/lib/dns/include/dns/message.h |
||||
@@ -210,6 +210,8 @@ struct dns_message { |
||||
unsigned int verify_attempted : 1; |
||||
unsigned int free_query : 1; |
||||
unsigned int free_saved : 1; |
||||
+ unsigned int tkey : 1; |
||||
+ unsigned int rdclass_set : 1; |
||||
|
||||
unsigned int opt_reserved; |
||||
unsigned int sig_reserved; |
||||
@@ -1374,6 +1376,15 @@ dns_message_buildopt(dns_message_t *msg, dns_rdataset_t **opt, |
||||
* \li other. |
||||
*/ |
||||
|
||||
+void |
||||
+dns_message_setclass(dns_message_t *msg, dns_rdataclass_t rdclass); |
||||
+/*%< |
||||
+ * Set the expected class of records in the response. |
||||
+ * |
||||
+ * Requires: |
||||
+ * \li msg be a valid message with parsing intent. |
||||
+ */ |
||||
+ |
||||
ISC_LANG_ENDDECLS |
||||
|
||||
#endif /* DNS_MESSAGE_H */ |
||||
diff --git a/lib/dns/message.c b/lib/dns/message.c |
||||
index 53efc5a..73def73 100644 |
||||
--- a/lib/dns/message.c |
||||
+++ b/lib/dns/message.c |
||||
@@ -436,6 +436,8 @@ msginit(dns_message_t *m) { |
||||
m->saved.base = NULL; |
||||
m->saved.length = 0; |
||||
m->free_saved = 0; |
||||
+ m->tkey = 0; |
||||
+ m->rdclass_set = 0; |
||||
m->querytsig = NULL; |
||||
} |
||||
|
||||
@@ -1086,13 +1088,19 @@ getquestions(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx, |
||||
* If this class is different than the one we already read, |
||||
* this is an error. |
||||
*/ |
||||
- if (msg->state == DNS_SECTION_ANY) { |
||||
- msg->state = DNS_SECTION_QUESTION; |
||||
+ if (msg->rdclass_set == 0) { |
||||
msg->rdclass = rdclass; |
||||
+ msg->rdclass_set = 1; |
||||
} else if (msg->rdclass != rdclass) |
||||
DO_FORMERR; |
||||
|
||||
/* |
||||
+ * Is this a TKEY query? |
||||
+ */ |
||||
+ if (rdtype == dns_rdatatype_tkey) |
||||
+ msg->tkey = 1; |
||||
+ |
||||
+ /* |
||||
* Can't ask the same question twice. |
||||
*/ |
||||
result = dns_message_find(name, rdclass, rdtype, 0, NULL); |
||||
@@ -1236,12 +1244,12 @@ getsection(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx, |
||||
* If there was no question section, we may not yet have |
||||
* established a class. Do so now. |
||||
*/ |
||||
- if (msg->state == DNS_SECTION_ANY && |
||||
+ if (msg->rdclass_set == 0 && |
||||
rdtype != dns_rdatatype_opt && /* class is UDP SIZE */ |
||||
rdtype != dns_rdatatype_tsig && /* class is ANY */ |
||||
rdtype != dns_rdatatype_tkey) { /* class is undefined */ |
||||
msg->rdclass = rdclass; |
||||
- msg->state = DNS_SECTION_QUESTION; |
||||
+ msg->rdclass_set = 1; |
||||
} |
||||
|
||||
/* |
||||
@@ -1251,7 +1259,7 @@ getsection(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx, |
||||
if (msg->opcode != dns_opcode_update |
||||
&& rdtype != dns_rdatatype_tsig |
||||
&& rdtype != dns_rdatatype_opt |
||||
- && rdtype != dns_rdatatype_dnskey /* in a TKEY query */ |
||||
+ && rdtype != dns_rdatatype_key /* in a TKEY query */ |
||||
&& rdtype != dns_rdatatype_sig /* SIG(0) */ |
||||
&& rdtype != dns_rdatatype_tkey /* Win2000 TKEY */ |
||||
&& msg->rdclass != dns_rdataclass_any |
||||
@@ -1259,6 +1267,16 @@ getsection(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx, |
||||
DO_FORMERR; |
||||
|
||||
/* |
||||
+ * If this is not a TKEY query/response then the KEY |
||||
+ * record's class needs to match. |
||||
+ */ |
||||
+ if (msg->opcode != dns_opcode_update && !msg->tkey && |
||||
+ rdtype == dns_rdatatype_key && |
||||
+ msg->rdclass != dns_rdataclass_any && |
||||
+ msg->rdclass != rdclass) |
||||
+ DO_FORMERR; |
||||
+ |
||||
+ /* |
||||
* Special type handling for TSIG, OPT, and TKEY. |
||||
*/ |
||||
if (rdtype == dns_rdatatype_tsig) { |
||||
@@ -1372,6 +1390,10 @@ getsection(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx, |
||||
skip_name_search = ISC_TRUE; |
||||
skip_type_search = ISC_TRUE; |
||||
issigzero = ISC_TRUE; |
||||
+ } else { |
||||
+ if (msg->rdclass != dns_rdataclass_any && |
||||
+ msg->rdclass != rdclass) |
||||
+ DO_FORMERR; |
||||
} |
||||
} else |
||||
covers = 0; |
||||
@@ -1610,6 +1632,7 @@ dns_message_parse(dns_message_t *msg, isc_buffer_t *source, |
||||
msg->counts[DNS_SECTION_ADDITIONAL] = isc_buffer_getuint16(source); |
||||
|
||||
msg->header_ok = 1; |
||||
+ msg->state = DNS_SECTION_QUESTION; |
||||
|
||||
/* |
||||
* -1 means no EDNS. |
||||
@@ -3550,3 +3573,15 @@ dns_message_buildopt(dns_message_t *message, dns_rdataset_t **rdatasetp, |
||||
dns_message_puttemprdatalist(message, &rdatalist); |
||||
return (result); |
||||
} |
||||
+ |
||||
+void |
||||
+dns_message_setclass(dns_message_t *msg, dns_rdataclass_t rdclass) { |
||||
+ |
||||
+ REQUIRE(DNS_MESSAGE_VALID(msg)); |
||||
+ REQUIRE(msg->from_to_wire == DNS_MESSAGE_INTENTPARSE); |
||||
+ REQUIRE(msg->state == DNS_SECTION_ANY); |
||||
+ REQUIRE(msg->rdclass_set == 0); |
||||
+ |
||||
+ msg->rdclass = rdclass; |
||||
+ msg->rdclass_set = 1; |
||||
+} |
||||
diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c |
||||
index aa23b11..d220986 100644 |
||||
--- a/lib/dns/resolver.c |
||||
+++ b/lib/dns/resolver.c |
||||
@@ -6964,6 +6964,8 @@ resquery_response(isc_task_t *task, isc_event_t *event) { |
||||
goto done; |
||||
} |
||||
|
||||
+ dns_message_setclass(message, fctx->res->rdclass); |
||||
+ |
||||
result = dns_message_parse(message, &devent->buffer, 0); |
||||
if (result != ISC_R_SUCCESS) { |
||||
switch (result) { |
||||
@@ -7036,6 +7038,12 @@ resquery_response(isc_task_t *task, isc_event_t *event) { |
||||
*/ |
||||
log_packet(message, ISC_LOG_DEBUG(10), fctx->res->mctx); |
||||
|
||||
+ if (message->rdclass != fctx->res->rdclass) { |
||||
+ resend = ISC_TRUE; |
||||
+ FCTXTRACE("bad class"); |
||||
+ goto done; |
||||
+ } |
||||
+ |
||||
/* |
||||
* Process receive opt record. |
||||
*/ |
||||
diff --git a/lib/dns/xfrin.c b/lib/dns/xfrin.c |
||||
index 9ad8960..938373a 100644 |
||||
--- a/lib/dns/xfrin.c |
||||
+++ b/lib/dns/xfrin.c |
||||
@@ -1241,6 +1241,8 @@ xfrin_recv_done(isc_task_t *task, isc_event_t *ev) { |
||||
msg->tsigctx = xfr->tsigctx; |
||||
xfr->tsigctx = NULL; |
||||
|
||||
+ dns_message_setclass(msg, xfr->rdclass); |
||||
+ |
||||
if (xfr->nmsg > 0) |
||||
msg->tcp_continuation = 1; |
||||
|
@ -0,0 +1,22 @@
@@ -0,0 +1,22 @@
|
||||
diff --git a/lib/dns/rdata/in_1/apl_42.c b/lib/dns/rdata/in_1/apl_42.c |
||||
index eb927b9..df35025 100644 |
||||
--- a/lib/dns/rdata/in_1/apl_42.c |
||||
+++ b/lib/dns/rdata/in_1/apl_42.c |
||||
@@ -116,7 +116,7 @@ totext_in_apl(ARGS_TOTEXT) { |
||||
isc_uint8_t len; |
||||
isc_boolean_t neg; |
||||
unsigned char buf[16]; |
||||
- char txt[sizeof(" !64000")]; |
||||
+ char txt[sizeof(" !64000:")]; |
||||
const char *sep = ""; |
||||
int n; |
||||
|
||||
@@ -140,7 +140,7 @@ totext_in_apl(ARGS_TOTEXT) { |
||||
isc_region_consume(&sr, 1); |
||||
INSIST(len <= sr.length); |
||||
n = snprintf(txt, sizeof(txt), "%s%s%u:", sep, |
||||
- neg ? "!": "", afi); |
||||
+ neg ? "!" : "", afi); |
||||
INSIST(n < (int)sizeof(txt)); |
||||
RETERR(str_totext(txt, target)); |
||||
switch (afi) { |
@ -0,0 +1,431 @@
@@ -0,0 +1,431 @@
|
||||
diff --git a/bin/named/control.c b/bin/named/control.c |
||||
index fabe442..06eadce 100644 |
||||
--- a/bin/named/control.c |
||||
+++ b/bin/named/control.c |
||||
@@ -69,7 +69,7 @@ ns_control_docommand(isccc_sexpr_t *message, isc_buffer_t *text) { |
||||
#endif |
||||
|
||||
data = isccc_alist_lookup(message, "_data"); |
||||
- if (data == NULL) { |
||||
+ if (!isccc_alist_alistp(data)) { |
||||
/* |
||||
* No data section. |
||||
*/ |
||||
diff --git a/bin/named/controlconf.c b/bin/named/controlconf.c |
||||
index c46a6e1..ef32790 100644 |
||||
--- a/bin/named/controlconf.c |
||||
+++ b/bin/named/controlconf.c |
||||
@@ -396,7 +396,7 @@ control_recvmessage(isc_task_t *task, isc_event_t *event) { |
||||
* Limit exposure to replay attacks. |
||||
*/ |
||||
_ctrl = isccc_alist_lookup(request, "_ctrl"); |
||||
- if (_ctrl == NULL) { |
||||
+ if (!isccc_alist_alistp(_ctrl)) { |
||||
log_invalid(&conn->ccmsg, ISC_R_FAILURE); |
||||
goto cleanup_request; |
||||
} |
||||
diff --git a/bin/rndc/rndc.c b/bin/rndc/rndc.c |
||||
index ba2c3f6..9a007e2 100644 |
||||
--- a/bin/rndc/rndc.c |
||||
+++ b/bin/rndc/rndc.c |
||||
@@ -252,8 +252,8 @@ rndc_recvdone(isc_task_t *task, isc_event_t *event) { |
||||
DO("parse message", isccc_cc_fromwire(&source, &response, &secret)); |
||||
|
||||
data = isccc_alist_lookup(response, "_data"); |
||||
- if (data == NULL) |
||||
- fatal("no data section in response"); |
||||
+ if (!isccc_alist_alistp(data)) |
||||
+ fatal("bad or missing data section in response"); |
||||
result = isccc_cc_lookupstring(data, "err", &errormsg); |
||||
if (result == ISC_R_SUCCESS) { |
||||
failed = ISC_TRUE; |
||||
@@ -316,8 +316,8 @@ rndc_recvnonce(isc_task_t *task, isc_event_t *event) { |
||||
DO("parse message", isccc_cc_fromwire(&source, &response, &secret)); |
||||
|
||||
_ctrl = isccc_alist_lookup(response, "_ctrl"); |
||||
- if (_ctrl == NULL) |
||||
- fatal("_ctrl section missing"); |
||||
+ if (!isccc_alist_alistp(_ctrl)) |
||||
+ fatal("bad or missing ctrl section in response"); |
||||
nonce = 0; |
||||
if (isccc_cc_lookupuint32(_ctrl, "_nonce", &nonce) != ISC_R_SUCCESS) |
||||
nonce = 0; |
||||
diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c |
||||
index d220986..8696b15 100644 |
||||
--- a/lib/dns/resolver.c |
||||
+++ b/lib/dns/resolver.c |
||||
@@ -5408,14 +5408,11 @@ cname_target(dns_rdataset_t *rdataset, dns_name_t *tname) { |
||||
} |
||||
|
||||
static inline isc_result_t |
||||
-dname_target(fetchctx_t *fctx, dns_rdataset_t *rdataset, dns_name_t *qname, |
||||
- dns_name_t *oname, dns_fixedname_t *fixeddname) |
||||
+dname_target(dns_rdataset_t *rdataset, dns_name_t *qname, |
||||
+ unsigned int nlabels, dns_fixedname_t *fixeddname) |
||||
{ |
||||
isc_result_t result; |
||||
dns_rdata_t rdata = DNS_RDATA_INIT; |
||||
- unsigned int nlabels; |
||||
- int order; |
||||
- dns_namereln_t namereln; |
||||
dns_rdata_dname_t dname; |
||||
dns_fixedname_t prefix; |
||||
|
||||
@@ -5430,21 +5427,6 @@ dname_target(fetchctx_t *fctx, dns_rdataset_t *rdataset, dns_name_t *qname, |
||||
if (result != ISC_R_SUCCESS) |
||||
return (result); |
||||
|
||||
- /* |
||||
- * Get the prefix of qname. |
||||
- */ |
||||
- namereln = dns_name_fullcompare(qname, oname, &order, &nlabels); |
||||
- if (namereln != dns_namereln_subdomain) { |
||||
- char qbuf[DNS_NAME_FORMATSIZE]; |
||||
- char obuf[DNS_NAME_FORMATSIZE]; |
||||
- |
||||
- dns_rdata_freestruct(&dname); |
||||
- dns_name_format(qname, qbuf, sizeof(qbuf)); |
||||
- dns_name_format(oname, obuf, sizeof(obuf)); |
||||
- log_formerr(fctx, "unrelated DNAME in answer: " |
||||
- "%s is not in %s", qbuf, obuf); |
||||
- return (DNS_R_FORMERR); |
||||
- } |
||||
dns_fixedname_init(&prefix); |
||||
dns_name_split(qname, nlabels, dns_fixedname_name(&prefix), NULL); |
||||
dns_fixedname_init(fixeddname); |
||||
@@ -6057,13 +6039,13 @@ static isc_result_t |
||||
answer_response(fetchctx_t *fctx) { |
||||
isc_result_t result; |
||||
dns_message_t *message; |
||||
- dns_name_t *name, *qname, tname, *ns_name; |
||||
+ dns_name_t *name, *dname = NULL, *qname, tname, *ns_name; |
||||
dns_rdataset_t *rdataset, *ns_rdataset; |
||||
isc_boolean_t done, external, chaining, aa, found, want_chaining; |
||||
isc_boolean_t have_answer, found_cname, found_type, wanted_chaining; |
||||
unsigned int aflag; |
||||
dns_rdatatype_t type; |
||||
- dns_fixedname_t dname, fqname; |
||||
+ dns_fixedname_t fdname, fqname; |
||||
dns_view_t *view; |
||||
|
||||
FCTXTRACE("answer_response"); |
||||
@@ -6091,10 +6073,15 @@ answer_response(fetchctx_t *fctx) { |
||||
view = fctx->res->view; |
||||
result = dns_message_firstname(message, DNS_SECTION_ANSWER); |
||||
while (!done && result == ISC_R_SUCCESS) { |
||||
+ dns_namereln_t namereln; |
||||
+ int order; |
||||
+ unsigned int nlabels; |
||||
+ |
||||
name = NULL; |
||||
dns_message_currentname(message, DNS_SECTION_ANSWER, &name); |
||||
external = ISC_TF(!dns_name_issubdomain(name, &fctx->domain)); |
||||
- if (dns_name_equal(name, qname)) { |
||||
+ namereln = dns_name_fullcompare(qname, name, &order, &nlabels); |
||||
+ if (namereln == dns_namereln_equal) { |
||||
wanted_chaining = ISC_FALSE; |
||||
for (rdataset = ISC_LIST_HEAD(name->list); |
||||
rdataset != NULL; |
||||
@@ -6219,10 +6206,11 @@ answer_response(fetchctx_t *fctx) { |
||||
*/ |
||||
INSIST(!external); |
||||
if (aflag == |
||||
- DNS_RDATASETATTR_ANSWER) |
||||
+ DNS_RDATASETATTR_ANSWER) { |
||||
have_answer = ISC_TRUE; |
||||
- name->attributes |= |
||||
- DNS_NAMEATTR_ANSWER; |
||||
+ name->attributes |= |
||||
+ DNS_NAMEATTR_ANSWER; |
||||
+ } |
||||
rdataset->attributes |= aflag; |
||||
if (aa) |
||||
rdataset->trust = |
||||
@@ -6277,6 +6265,8 @@ answer_response(fetchctx_t *fctx) { |
||||
if (wanted_chaining) |
||||
chaining = ISC_TRUE; |
||||
} else { |
||||
+ dns_rdataset_t *dnameset = NULL; |
||||
+ |
||||
/* |
||||
* Look for a DNAME (or its SIG). Anything else is |
||||
* ignored. |
||||
@@ -6284,32 +6274,56 @@ answer_response(fetchctx_t *fctx) { |
||||
wanted_chaining = ISC_FALSE; |
||||
for (rdataset = ISC_LIST_HEAD(name->list); |
||||
rdataset != NULL; |
||||
- rdataset = ISC_LIST_NEXT(rdataset, link)) { |
||||
- isc_boolean_t found_dname = ISC_FALSE; |
||||
- dns_name_t *dname_name; |
||||
+ rdataset = ISC_LIST_NEXT(rdataset, link)) |
||||
+ { |
||||
+ /* |
||||
+ * Only pass DNAME or RRSIG(DNAME). |
||||
+ */ |
||||
+ if (rdataset->type != dns_rdatatype_dname && |
||||
+ (rdataset->type != dns_rdatatype_rrsig || |
||||
+ rdataset->covers != dns_rdatatype_dname)) |
||||
+ continue; |
||||
+ |
||||
+ /* |
||||
+ * If we're not chaining, then the DNAME and |
||||
+ * its signature should not be external. |
||||
+ */ |
||||
+ if (!chaining && external) { |
||||
+ char qbuf[DNS_NAME_FORMATSIZE]; |
||||
+ char obuf[DNS_NAME_FORMATSIZE]; |
||||
+ |
||||
+ dns_name_format(name, qbuf, |
||||
+ sizeof(qbuf)); |
||||
+ dns_name_format(&fctx->domain, obuf, |
||||
+ sizeof(obuf)); |
||||
+ log_formerr(fctx, "external DNAME or " |
||||
+ "RRSIG covering DNAME " |
||||
+ "in answer: %s is " |
||||
+ "not in %s", qbuf, obuf); |
||||
+ return (DNS_R_FORMERR); |
||||
+ } |
||||
+ |
||||
+ if (namereln != dns_namereln_subdomain) { |
||||
+ char qbuf[DNS_NAME_FORMATSIZE]; |
||||
+ char obuf[DNS_NAME_FORMATSIZE]; |
||||
+ |
||||
+ dns_name_format(qname, qbuf, |
||||
+ sizeof(qbuf)); |
||||
+ dns_name_format(name, obuf, |
||||
+ sizeof(obuf)); |
||||
+ log_formerr(fctx, "unrelated DNAME " |
||||
+ "in answer: %s is " |
||||
+ "not in %s", qbuf, obuf); |
||||
+ return (DNS_R_FORMERR); |
||||
+ } |
||||
|
||||
- found = ISC_FALSE; |
||||
aflag = 0; |
||||
if (rdataset->type == dns_rdatatype_dname) { |
||||
- /* |
||||
- * We're looking for something else, |
||||
- * but we found a DNAME. |
||||
- * |
||||
- * If we're not chaining, then the |
||||
- * DNAME should not be external. |
||||
- */ |
||||
- if (!chaining && external) { |
||||
- log_formerr(fctx, |
||||
- "external DNAME"); |
||||
- return (DNS_R_FORMERR); |
||||
- } |
||||
- found = ISC_TRUE; |
||||
want_chaining = ISC_TRUE; |
||||
POST(want_chaining); |
||||
aflag = DNS_RDATASETATTR_ANSWER; |
||||
- result = dname_target(fctx, rdataset, |
||||
- qname, name, |
||||
- &dname); |
||||
+ result = dname_target(rdataset, qname, |
||||
+ nlabels, &fdname); |
||||
if (result == ISC_R_NOSPACE) { |
||||
/* |
||||
* We can't construct the |
||||
@@ -6321,90 +6335,73 @@ answer_response(fetchctx_t *fctx) { |
||||
} else if (result != ISC_R_SUCCESS) |
||||
return (result); |
||||
else |
||||
- found_dname = ISC_TRUE; |
||||
+ dnameset = rdataset; |
||||
|
||||
- dname_name = dns_fixedname_name(&dname); |
||||
+ dname = dns_fixedname_name(&fdname); |
||||
if (!is_answertarget_allowed(view, |
||||
- qname, |
||||
- rdataset->type, |
||||
- dname_name, |
||||
- &fctx->domain)) { |
||||
+ qname, rdataset->type, |
||||
+ dname, &fctx->domain)) { |
||||
return (DNS_R_SERVFAIL); |
||||
} |
||||
- } else if (rdataset->type == dns_rdatatype_rrsig |
||||
- && rdataset->covers == |
||||
- dns_rdatatype_dname) { |
||||
+ } else { |
||||
/* |
||||
* We've found a signature that |
||||
* covers the DNAME. |
||||
*/ |
||||
- found = ISC_TRUE; |
||||
aflag = DNS_RDATASETATTR_ANSWERSIG; |
||||
} |
||||
|
||||
- if (found) { |
||||
+ /* |
||||
+ * We've found an answer to our |
||||
+ * question. |
||||
+ */ |
||||
+ name->attributes |= DNS_NAMEATTR_CACHE; |
||||
+ rdataset->attributes |= DNS_RDATASETATTR_CACHE; |
||||
+ rdataset->trust = dns_trust_answer; |
||||
+ if (!chaining) { |
||||
/* |
||||
- * We've found an answer to our |
||||
- * question. |
||||
+ * This data is "the" answer to |
||||
+ * our question only if we're |
||||
+ * not chaining. |
||||
*/ |
||||
- name->attributes |= |
||||
- DNS_NAMEATTR_CACHE; |
||||
- rdataset->attributes |= |
||||
- DNS_RDATASETATTR_CACHE; |
||||
- rdataset->trust = dns_trust_answer; |
||||
- if (!chaining) { |
||||
- /* |
||||
- * This data is "the" answer |
||||
- * to our question only if |
||||
- * we're not chaining. |
||||
- */ |
||||
- INSIST(!external); |
||||
- if (aflag == |
||||
- DNS_RDATASETATTR_ANSWER) |
||||
- have_answer = ISC_TRUE; |
||||
+ INSIST(!external); |
||||
+ if (aflag == DNS_RDATASETATTR_ANSWER) { |
||||
+ have_answer = ISC_TRUE; |
||||
name->attributes |= |
||||
DNS_NAMEATTR_ANSWER; |
||||
- rdataset->attributes |= aflag; |
||||
- if (aa) |
||||
- rdataset->trust = |
||||
- dns_trust_authanswer; |
||||
- } else if (external) { |
||||
- rdataset->attributes |= |
||||
- DNS_RDATASETATTR_EXTERNAL; |
||||
- } |
||||
- |
||||
- /* |
||||
- * DNAME chaining. |
||||
- */ |
||||
- if (found_dname) { |
||||
- /* |
||||
- * Copy the dname into the |
||||
- * qname fixed name. |
||||
- * |
||||
- * Although we check for |
||||
- * failure of the copy |
||||
- * operation, in practice it |
||||
- * should never fail since |
||||
- * we already know that the |
||||
- * result fits in a fixedname. |
||||
- */ |
||||
- dns_fixedname_init(&fqname); |
||||
- result = dns_name_copy( |
||||
- dns_fixedname_name(&dname), |
||||
- dns_fixedname_name(&fqname), |
||||
- NULL); |
||||
- if (result != ISC_R_SUCCESS) |
||||
- return (result); |
||||
- wanted_chaining = ISC_TRUE; |
||||
- name->attributes |= |
||||
- DNS_NAMEATTR_CHAINING; |
||||
- rdataset->attributes |= |
||||
- DNS_RDATASETATTR_CHAINING; |
||||
- qname = dns_fixedname_name( |
||||
- &fqname); |
||||
} |
||||
+ rdataset->attributes |= aflag; |
||||
+ if (aa) |
||||
+ rdataset->trust = |
||||
+ dns_trust_authanswer; |
||||
+ } else if (external) { |
||||
+ rdataset->attributes |= |
||||
+ DNS_RDATASETATTR_EXTERNAL; |
||||
} |
||||
} |
||||
+ |
||||
+ /* |
||||
+ * DNAME chaining. |
||||
+ */ |
||||
+ if (dnameset != NULL) { |
||||
+ /* |
||||
+ * Copy the dname into the qname fixed name. |
||||
+ * |
||||
+ * Although we check for failure of the copy |
||||
+ * operation, in practice it should never fail |
||||
+ * since we already know that the result fits |
||||
+ * in a fixedname. |
||||
+ */ |
||||
+ dns_fixedname_init(&fqname); |
||||
+ qname = dns_fixedname_name(&fqname); |
||||
+ result = dns_name_copy(dname, qname, NULL); |
||||
+ if (result != ISC_R_SUCCESS) |
||||
+ return (result); |
||||
+ wanted_chaining = ISC_TRUE; |
||||
+ name->attributes |= DNS_NAMEATTR_CHAINING; |
||||
+ dnameset->attributes |= |
||||
+ DNS_RDATASETATTR_CHAINING; |
||||
+ } |
||||
if (wanted_chaining) |
||||
chaining = ISC_TRUE; |
||||
} |
||||
diff --git a/lib/isccc/cc.c b/lib/isccc/cc.c |
||||
index ae5391a..10e5dc9 100644 |
||||
--- a/lib/isccc/cc.c |
||||
+++ b/lib/isccc/cc.c |
||||
@@ -286,10 +286,10 @@ verify(isccc_sexpr_t *alist, unsigned char *data, unsigned int length, |
||||
* Extract digest. |
||||
*/ |
||||
_auth = isccc_alist_lookup(alist, "_auth"); |
||||
- if (_auth == NULL) |
||||
+ if (!isccc_alist_alistp(_auth)) |
||||
return (ISC_R_FAILURE); |
||||
hmd5 = isccc_alist_lookup(_auth, "hmd5"); |
||||
- if (hmd5 == NULL) |
||||
+ if (!isccc_sexpr_binaryp(hmd5)) |
||||
return (ISC_R_FAILURE); |
||||
/* |
||||
* Compute digest. |
||||
@@ -543,7 +543,7 @@ isccc_cc_createack(isccc_sexpr_t *message, isc_boolean_t ok, |
||||
REQUIRE(ackp != NULL && *ackp == NULL); |
||||
|
||||
_ctrl = isccc_alist_lookup(message, "_ctrl"); |
||||
- if (_ctrl == NULL || |
||||
+ if (!isccc_alist_alistp(_ctrl) || |
||||
isccc_cc_lookupuint32(_ctrl, "_ser", &serial) != ISC_R_SUCCESS || |
||||
isccc_cc_lookupuint32(_ctrl, "_tim", &t) != ISC_R_SUCCESS) |
||||
return (ISC_R_FAILURE); |
||||
@@ -588,7 +588,7 @@ isccc_cc_isack(isccc_sexpr_t *message) |
||||
isccc_sexpr_t *_ctrl; |
||||
|
||||
_ctrl = isccc_alist_lookup(message, "_ctrl"); |
||||
- if (_ctrl == NULL) |
||||
+ if (!isccc_alist_alistp(_ctrl)) |
||||
return (ISC_FALSE); |
||||
if (isccc_cc_lookupstring(_ctrl, "_ack", NULL) == ISC_R_SUCCESS) |
||||
return (ISC_TRUE); |
||||
@@ -601,7 +601,7 @@ isccc_cc_isreply(isccc_sexpr_t *message) |
||||
isccc_sexpr_t *_ctrl; |
||||
|
||||
_ctrl = isccc_alist_lookup(message, "_ctrl"); |
||||
- if (_ctrl == NULL) |
||||
+ if (!isccc_alist_alistp(_ctrl)) |
||||
return (ISC_FALSE); |
||||
if (isccc_cc_lookupstring(_ctrl, "_rpl", NULL) == ISC_R_SUCCESS) |
||||
return (ISC_TRUE); |
||||
@@ -621,7 +621,7 @@ isccc_cc_createresponse(isccc_sexpr_t *message, isccc_time_t now, |
||||
|
||||
_ctrl = isccc_alist_lookup(message, "_ctrl"); |
||||
_data = isccc_alist_lookup(message, "_data"); |
||||
- if (_ctrl == NULL || _data == NULL || |
||||
+ if (!isccc_alist_alistp(_ctrl) || !isccc_alist_alistp(_data) || |
||||
isccc_cc_lookupuint32(_ctrl, "_ser", &serial) != ISC_R_SUCCESS || |
||||
isccc_cc_lookupstring(_data, "type", &type) != ISC_R_SUCCESS) |
||||
return (ISC_R_FAILURE); |
||||
@@ -810,7 +810,7 @@ isccc_cc_checkdup(isccc_symtab_t *symtab, isccc_sexpr_t *message, |
||||
isccc_sexpr_t *_ctrl; |
||||
|
||||
_ctrl = isccc_alist_lookup(message, "_ctrl"); |
||||
- if (_ctrl == NULL || |
||||
+ if (!isccc_alist_alistp(_ctrl) || |
||||
isccc_cc_lookupstring(_ctrl, "_ser", &_ser) != ISC_R_SUCCESS || |
||||
isccc_cc_lookupstring(_ctrl, "_tim", &_tim) != ISC_R_SUCCESS) |
||||
return (ISC_R_FAILURE); |
@ -0,0 +1,66 @@
@@ -0,0 +1,66 @@
|
||||
From 062b04898be720ed0855efc192847fcbc667b3e1 Mon Sep 17 00:00:00 2001 |
||||
From: Mark Andrews <marka@isc.org> |
||||
Date: Thu, 7 Jul 2016 12:52:47 +1000 |
||||
Subject: [PATCH] 4406. [bug] getrrsetbyname with a non absolute |
||||
name could trigger a infinite recursion bug in lwresd |
||||
and named with lwres configured if when combined |
||||
with a search list entry the resulting name is |
||||
too long. [RT #42694] |
||||
|
||||
(cherry picked from commit 38cc2d14e218e536e0102fa70deef99461354232) |
||||
--- |
||||
bin/named/lwdgrbn.c | 16 ++++++++++------ |
||||
bin/tests/system/lwresd/lwtest.c | 8 ++++++++ |
||||
2 files changed, 18 insertions(+), 6 deletions(-) |
||||
|
||||
diff --git a/bin/named/lwdgrbn.c b/bin/named/lwdgrbn.c |
||||
index 584ab25..37211eb 100644 |
||||
--- a/bin/named/lwdgrbn.c |
||||
+++ b/bin/named/lwdgrbn.c |
||||
@@ -403,14 +403,18 @@ start_lookup(ns_lwdclient_t *client) { |
||||
INSIST(client->lookup == NULL); |
||||
|
||||
dns_fixedname_init(&absname); |
||||
- result = ns_lwsearchctx_current(&client->searchctx, |
||||
- dns_fixedname_name(&absname)); |
||||
+ |
||||
/* |
||||
- * This will return failure if relative name + suffix is too long. |
||||
- * In this case, just go on to the next entry in the search path. |
||||
+ * Perform search across all search domains until success |
||||
+ * is returned. Return in case of failure. |
||||
*/ |
||||
- if (result != ISC_R_SUCCESS) |
||||
- start_lookup(client); |
||||
+ while (ns_lwsearchctx_current(&client->searchctx, |
||||
+ dns_fixedname_name(&absname)) != ISC_R_SUCCESS) { |
||||
+ if (ns_lwsearchctx_next(&client->searchctx) != ISC_R_SUCCESS) { |
||||
+ ns_lwdclient_errorpktsend(client, LWRES_R_FAILURE); |
||||
+ return; |
||||
+ } |
||||
+ } |
||||
|
||||
result = dns_lookup_create(cm->mctx, |
||||
dns_fixedname_name(&absname), |
||||
diff --git a/bin/tests/system/lwresd/lwtest.c b/bin/tests/system/lwresd/lwtest.c |
||||
index 02647cb..c2be95d 100644 |
||||
--- a/bin/tests/system/lwresd/lwtest.c |
||||
+++ b/bin/tests/system/lwresd/lwtest.c |
||||
@@ -768,6 +768,14 @@ main(void) { |
||||
test_getrrsetbyname("e.example1.", 1, 46, 2, 0, 1); |
||||
test_getrrsetbyname("", 1, 1, 0, 0, 0); |
||||
|
||||
+ test_getrrsetbyname("123456789.123456789.123456789.123456789." |
||||
+ "123456789.123456789.123456789.123456789." |
||||
+ "123456789.123456789.123456789.123456789." |
||||
+ "123456789.123456789.123456789.123456789." |
||||
+ "123456789.123456789.123456789.123456789." |
||||
+ "123456789.123456789.123456789.123456789." |
||||
+ "123456789", 1, 1, 0, 0, 0); |
||||
+ |
||||
if (fails == 0) |
||||
printf("I:ok\n"); |
||||
return (fails); |
||||
-- |
||||
2.7.4 |
||||
|
@ -0,0 +1,89 @@
@@ -0,0 +1,89 @@
|
||||
diff --git a/lib/dns/message.c b/lib/dns/message.c |
||||
index 73def73..3d2de4f 100644 |
||||
--- a/lib/dns/message.c |
||||
+++ b/lib/dns/message.c |
||||
@@ -1736,7 +1736,7 @@ dns_message_renderbegin(dns_message_t *msg, dns_compress_t *cctx, |
||||
if (r.length < DNS_MESSAGE_HEADERLEN) |
||||
return (ISC_R_NOSPACE); |
||||
|
||||
- if (r.length < msg->reserved) |
||||
+ if (r.length - DNS_MESSAGE_HEADERLEN < msg->reserved) |
||||
return (ISC_R_NOSPACE); |
||||
|
||||
/* |
||||
@@ -1863,8 +1863,29 @@ norender_rdataset(const dns_rdataset_t *rdataset, unsigned int options) |
||||
|
||||
return (ISC_TRUE); |
||||
} |
||||
- |
||||
#endif |
||||
+ |
||||
+static isc_result_t |
||||
+renderset(dns_rdataset_t *rdataset, dns_name_t *owner_name, |
||||
+ dns_compress_t *cctx, isc_buffer_t *target, |
||||
+ unsigned int reserved, unsigned int options, unsigned int *countp) |
||||
+{ |
||||
+ isc_result_t result; |
||||
+ |
||||
+ /* |
||||
+ * Shrink the space in the buffer by the reserved amount. |
||||
+ */ |
||||
+ if (target->length - target->used < reserved) |
||||
+ return (ISC_R_NOSPACE); |
||||
+ |
||||
+ target->length -= reserved; |
||||
+ result = dns_rdataset_towire(rdataset, owner_name, |
||||
+ cctx, target, options, countp); |
||||
+ target->length += reserved; |
||||
+ |
||||
+ return (result); |
||||
+} |
||||
+ |
||||
isc_result_t |
||||
dns_message_rendersection(dns_message_t *msg, dns_section_t sectionid, |
||||
unsigned int options) |
||||
@@ -1907,6 +1928,8 @@ dns_message_rendersection(dns_message_t *msg, dns_section_t sectionid, |
||||
/* |
||||
* Shrink the space in the buffer by the reserved amount. |
||||
*/ |
||||
+ if (msg->buffer->length - msg->buffer->used < msg->reserved) |
||||
+ return (ISC_R_NOSPACE); |
||||
msg->buffer->length -= msg->reserved; |
||||
|
||||
total = 0; |
||||
@@ -2183,9 +2206,8 @@ dns_message_renderend(dns_message_t *msg) { |
||||
* Render. |
||||
*/ |
||||
count = 0; |
||||
- result = dns_rdataset_towire(msg->opt, dns_rootname, |
||||
- msg->cctx, msg->buffer, 0, |
||||
- &count); |
||||
+ result = renderset(msg->opt, dns_rootname, msg->cctx, |
||||
+ msg->buffer, msg->reserved, 0, &count); |
||||
msg->counts[DNS_SECTION_ADDITIONAL] += count; |
||||
if (result != ISC_R_SUCCESS) |
||||
return (result); |
||||
@@ -2201,9 +2223,8 @@ dns_message_renderend(dns_message_t *msg) { |
||||
if (result != ISC_R_SUCCESS) |
||||
return (result); |
||||
count = 0; |
||||
- result = dns_rdataset_towire(msg->tsig, msg->tsigname, |
||||
- msg->cctx, msg->buffer, 0, |
||||
- &count); |
||||
+ result = renderset(msg->tsig, msg->tsigname, msg->cctx, |
||||
+ msg->buffer, msg->reserved, 0, &count); |
||||
msg->counts[DNS_SECTION_ADDITIONAL] += count; |
||||
if (result != ISC_R_SUCCESS) |
||||
return (result); |
||||
@@ -2224,9 +2245,8 @@ dns_message_renderend(dns_message_t *msg) { |
||||
* the owner name of a SIG(0) is irrelevant, and will not |
||||
* be set in a message being rendered. |
||||
*/ |
||||
- result = dns_rdataset_towire(msg->sig0, dns_rootname, |
||||
- msg->cctx, msg->buffer, 0, |
||||
- &count); |
||||
+ result = renderset(msg->sig0, dns_rootname, msg->cctx, |
||||
+ msg->buffer, msg->reserved, 0, &count); |
||||
msg->counts[DNS_SECTION_ADDITIONAL] += count; |
||||
if (result != ISC_R_SUCCESS) |
||||
return (result); |
@ -0,0 +1,174 @@
@@ -0,0 +1,174 @@
|
||||
diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c |
||||
index 5ef2dd6..1b987dd 100644 |
||||
--- a/lib/dns/resolver.c |
||||
+++ b/lib/dns/resolver.c |
||||
@@ -526,7 +526,9 @@ valcreate(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo, dns_name_t *name, |
||||
valarg->addrinfo = addrinfo; |
||||
|
||||
if (!ISC_LIST_EMPTY(fctx->validators)) |
||||
- INSIST((valoptions & DNS_VALIDATOR_DEFER) != 0); |
||||
+ valoptions |= DNS_VALIDATOR_DEFER; |
||||
+ else |
||||
+ valoptions &= ~DNS_VALIDATOR_DEFER; |
||||
|
||||
result = dns_validator_create(fctx->res->view, name, type, rdataset, |
||||
sigrdataset, fctx->rmessage, |
||||
@@ -4872,13 +4874,6 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo, |
||||
rdataset, |
||||
sigrdataset, |
||||
valoptions, task); |
||||
- /* |
||||
- * Defer any further validations. |
||||
- * This prevents multiple validators |
||||
- * from manipulating fctx->rmessage |
||||
- * simultaneously. |
||||
- */ |
||||
- valoptions |= DNS_VALIDATOR_DEFER; |
||||
} |
||||
} else if (CHAINING(rdataset)) { |
||||
if (rdataset->type == dns_rdatatype_cname) |
||||
@@ -4984,6 +4979,11 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo, |
||||
eresult == DNS_R_NCACHENXRRSET); |
||||
} |
||||
event->result = eresult; |
||||
+ if (adbp != NULL && *adbp != NULL) { |
||||
+ if (anodep != NULL && *anodep != NULL) |
||||
+ dns_db_detachnode(*adbp, anodep); |
||||
+ dns_db_detach(adbp); |
||||
+ } |
||||
dns_db_attach(fctx->cache, adbp); |
||||
dns_db_transfernode(fctx->cache, &node, anodep); |
||||
clone_results(fctx); |
||||
@@ -5231,6 +5231,11 @@ ncache_message(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo, |
||||
fctx->attributes |= FCTX_ATTR_HAVEANSWER; |
||||
if (event != NULL) { |
||||
event->result = eresult; |
||||
+ if (adbp != NULL && *adbp != NULL) { |
||||
+ if (anodep != NULL && *anodep != NULL) |
||||
+ dns_db_detachnode(*adbp, anodep); |
||||
+ dns_db_detach(adbp); |
||||
+ } |
||||
dns_db_attach(fctx->cache, adbp); |
||||
dns_db_transfernode(fctx->cache, &node, anodep); |
||||
clone_results(fctx); |
||||
@@ -6039,13 +6044,15 @@ static isc_result_t |
||||
answer_response(fetchctx_t *fctx) { |
||||
isc_result_t result; |
||||
dns_message_t *message; |
||||
- dns_name_t *name, *dname = NULL, *qname, tname, *ns_name; |
||||
+ dns_name_t *name, *dname = NULL, *qname, *dqname, tname, *ns_name; |
||||
+ dns_name_t *cname = NULL; |
||||
dns_rdataset_t *rdataset, *ns_rdataset; |
||||
isc_boolean_t done, external, chaining, aa, found, want_chaining; |
||||
- isc_boolean_t have_answer, found_cname, found_type, wanted_chaining; |
||||
+ isc_boolean_t have_answer, found_cname, found_dname, found_type; |
||||
+ isc_boolean_t wanted_chaining; |
||||
unsigned int aflag; |
||||
dns_rdatatype_t type; |
||||
- dns_fixedname_t fdname, fqname; |
||||
+ dns_fixedname_t fdname, fqname, fqdname; |
||||
dns_view_t *view; |
||||
|
||||
FCTXTRACE("answer_response"); |
||||
@@ -6059,6 +6066,7 @@ answer_response(fetchctx_t *fctx) { |
||||
|
||||
done = ISC_FALSE; |
||||
found_cname = ISC_FALSE; |
||||
+ found_dname = ISC_FALSE; |
||||
found_type = ISC_FALSE; |
||||
chaining = ISC_FALSE; |
||||
have_answer = ISC_FALSE; |
||||
@@ -6068,12 +6076,13 @@ answer_response(fetchctx_t *fctx) { |
||||
aa = ISC_TRUE; |
||||
else |
||||
aa = ISC_FALSE; |
||||
- qname = &fctx->name; |
||||
+ dqname = qname = &fctx->name; |
||||
type = fctx->type; |
||||
view = fctx->res->view; |
||||
+ dns_fixedname_init(&fqdname); |
||||
result = dns_message_firstname(message, DNS_SECTION_ANSWER); |
||||
while (!done && result == ISC_R_SUCCESS) { |
||||
- dns_namereln_t namereln; |
||||
+ dns_namereln_t namereln, dnamereln; |
||||
int order; |
||||
unsigned int nlabels; |
||||
|
||||
@@ -6081,6 +6090,8 @@ answer_response(fetchctx_t *fctx) { |
||||
dns_message_currentname(message, DNS_SECTION_ANSWER, &name); |
||||
external = ISC_TF(!dns_name_issubdomain(name, &fctx->domain)); |
||||
namereln = dns_name_fullcompare(qname, name, &order, &nlabels); |
||||
+ dnamereln = dns_name_fullcompare(dqname, name, &order, |
||||
+ &nlabels); |
||||
if (namereln == dns_namereln_equal) { |
||||
wanted_chaining = ISC_FALSE; |
||||
for (rdataset = ISC_LIST_HEAD(name->list); |
||||
@@ -6205,9 +6216,16 @@ answer_response(fetchctx_t *fctx) { |
||||
* a CNAME or DNAME). |
||||
*/ |
||||
INSIST(!external); |
||||
- if (aflag == |
||||
- DNS_RDATASETATTR_ANSWER) { |
||||
+ if ((rdataset->type != |
||||
+ dns_rdatatype_cname) || |
||||
+ !found_dname || |
||||
+ (aflag == |
||||
+ DNS_RDATASETATTR_ANSWER)) |
||||
+ { |
||||
have_answer = ISC_TRUE; |
||||
+ if (rdataset->type == |
||||
+ dns_rdatatype_cname) |
||||
+ cname = name; |
||||
name->attributes |= |
||||
DNS_NAMEATTR_ANSWER; |
||||
} |
||||
@@ -6303,11 +6321,11 @@ answer_response(fetchctx_t *fctx) { |
||||
return (DNS_R_FORMERR); |
||||
} |
||||
|
||||
- if (namereln != dns_namereln_subdomain) { |
||||
+ if (dnamereln != dns_namereln_subdomain) { |
||||
char qbuf[DNS_NAME_FORMATSIZE]; |
||||
char obuf[DNS_NAME_FORMATSIZE]; |
||||
|
||||
- dns_name_format(qname, qbuf, |
||||
+ dns_name_format(dqname, qbuf, |
||||
sizeof(qbuf)); |
||||
dns_name_format(name, obuf, |
||||
sizeof(obuf)); |
||||
@@ -6322,7 +6340,7 @@ answer_response(fetchctx_t *fctx) { |
||||
want_chaining = ISC_TRUE; |
||||
POST(want_chaining); |
||||
aflag = DNS_RDATASETATTR_ANSWER; |
||||
- result = dname_target(rdataset, qname, |
||||
+ result = dname_target(rdataset, dqname, |
||||
nlabels, &fdname); |
||||
if (result == ISC_R_NOSPACE) { |
||||
/* |
||||
@@ -6339,10 +6357,13 @@ answer_response(fetchctx_t *fctx) { |
||||
|
||||
dname = dns_fixedname_name(&fdname); |
||||
if (!is_answertarget_allowed(view, |
||||
- qname, rdataset->type, |
||||
- dname, &fctx->domain)) { |
||||
+ dqname, rdataset->type, |
||||
+ dname, &fctx->domain)) |
||||
+ { |
||||
return (DNS_R_SERVFAIL); |
||||
} |
||||
+ dqname = dns_fixedname_name(&fqdname); |
||||
+ dns_name_copy(dname, dqname, NULL); |
||||
} else { |
||||
/* |
||||
* We've found a signature that |
||||
@@ -6367,6 +6388,10 @@ answer_response(fetchctx_t *fctx) { |
||||
INSIST(!external); |
||||
if (aflag == DNS_RDATASETATTR_ANSWER) { |
||||
have_answer = ISC_TRUE; |
||||
+ found_dname = ISC_TRUE; |
||||
+ if (cname != NULL) |
||||
+ cname->attributes &= |
||||
+ ~DNS_NAMEATTR_ANSWER; |
||||
name->attributes |= |
||||
DNS_NAMEATTR_ANSWER; |
||||
} |
@ -0,0 +1,37 @@
@@ -0,0 +1,37 @@
|
||||
diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c |
||||
index 2bc4461..d9de369 100644 |
||||
--- a/lib/dns/resolver.c |
||||
+++ b/lib/dns/resolver.c |
||||
@@ -6533,6 +6533,19 @@ answer_response(fetchctx_t *fctx) { |
||||
log_formerr(fctx, "NSEC3 in answer"); |
||||
return (DNS_R_FORMERR); |
||||
} |
||||
+ if (rdataset->type == dns_rdatatype_tkey) { |
||||
+ /* |
||||
+ * TKEY is not a valid record in a |
||||
+ * response to any query we can make. |
||||
+ */ |
||||
+ log_formerr(fctx, "TKEY in answer"); |
||||
+ return (DNS_R_FORMERR); |
||||
+ } |
||||
+ if (rdataset->rdclass != fctx->res->rdclass) { |
||||
+ log_formerr(fctx, "Mismatched class " |
||||
+ "in answer"); |
||||
+ return (DNS_R_FORMERR); |
||||
+ } |
||||
|
||||
/* |
||||
* Apply filters, if given, on answers to reject |
||||
@@ -6719,6 +6732,12 @@ answer_response(fetchctx_t *fctx) { |
||||
rdataset != NULL; |
||||
rdataset = ISC_LIST_NEXT(rdataset, link)) |
||||
{ |
||||
+ if (rdataset->rdclass != fctx->res->rdclass) { |
||||
+ log_formerr(fctx, "Mismatched class " |
||||
+ "in answer"); |
||||
+ return (DNS_R_FORMERR); |
||||
+ } |
||||
+ |
||||
/* |
||||
* Only pass DNAME or RRSIG(DNAME). |
||||
*/ |
@ -0,0 +1,31 @@
@@ -0,0 +1,31 @@
|
||||
diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c |
||||
index 9ad5f81..ffdde5e 100644 |
||||
--- a/lib/dns/resolver.c |
||||
+++ b/lib/dns/resolver.c |
||||
@@ -6229,15 +6229,19 @@ answer_response(fetchctx_t *fctx) { |
||||
* a CNAME or DNAME). |
||||
*/ |
||||
INSIST(!external); |
||||
- if ((rdataset->type != |
||||
- dns_rdatatype_cname) || |
||||
- !found_dname || |
||||
- (aflag == |
||||
- DNS_RDATASETATTR_ANSWER)) |
||||
+ /* |
||||
+ * Don't use found_cname here |
||||
+ * as we have just set it |
||||
+ * above. |
||||
+ */ |
||||
+ if (cname == NULL && |
||||
+ !found_dname && |
||||
+ aflag == |
||||
+ DNS_RDATASETATTR_ANSWER) |
||||
{ |
||||
have_answer = ISC_TRUE; |
||||
- if (rdataset->type == |
||||
- dns_rdatatype_cname) |
||||
+ if (found_cname && |
||||
+ cname == NULL) |
||||
cname = name; |
||||
name->attributes |= |
||||
DNS_NAMEATTR_ANSWER; |
@ -0,0 +1,147 @@
@@ -0,0 +1,147 @@
|
||||
diff --git a/lib/dns/message.c b/lib/dns/message.c |
||||
index 869d258..c1f9498 100644 |
||||
--- a/lib/dns/message.c |
||||
+++ b/lib/dns/message.c |
||||
@@ -1150,6 +1150,63 @@ update(dns_section_t section, dns_rdataclass_t rdclass) { |
||||
return (ISC_FALSE); |
||||
} |
||||
|
||||
+/* |
||||
+ * Check to confirm that all DNSSEC records (DS, NSEC, NSEC3) have |
||||
+ * covering RRSIGs. |
||||
+ */ |
||||
+static isc_boolean_t |
||||
+auth_signed(dns_namelist_t *section) { |
||||
+ dns_name_t *name; |
||||
+ |
||||
+ for (name = ISC_LIST_HEAD(*section); |
||||
+ name != NULL; |
||||
+ name = ISC_LIST_NEXT(name, link)) |
||||
+ { |
||||
+ int auth_dnssec = 0, auth_rrsig = 0; |
||||
+ dns_rdataset_t *rds; |
||||
+ |
||||
+ for (rds = ISC_LIST_HEAD(name->list); |
||||
+ rds != NULL; |
||||
+ rds = ISC_LIST_NEXT(rds, link)) |
||||
+ { |
||||
+ switch (rds->type) { |
||||
+ case dns_rdatatype_ds: |
||||
+ auth_dnssec |= 0x1; |
||||
+ break; |
||||
+ case dns_rdatatype_nsec: |
||||
+ auth_dnssec |= 0x2; |
||||
+ break; |
||||
+ case dns_rdatatype_nsec3: |
||||
+ auth_dnssec |= 0x4; |
||||
+ break; |
||||
+ case dns_rdatatype_rrsig: |
||||
+ break; |
||||
+ default: |
||||
+ continue; |
||||
+ } |
||||
+ |
||||
+ switch (rds->covers) { |
||||
+ case dns_rdatatype_ds: |
||||
+ auth_rrsig |= 0x1; |
||||
+ break; |
||||
+ case dns_rdatatype_nsec: |
||||
+ auth_rrsig |= 0x2; |
||||
+ break; |
||||
+ case dns_rdatatype_nsec3: |
||||
+ auth_rrsig |= 0x4; |
||||
+ break; |
||||
+ default: |
||||
+ break; |
||||
+ } |
||||
+ } |
||||
+ |
||||
+ if (auth_dnssec != auth_rrsig) |
||||
+ return (ISC_FALSE); |
||||
+ } |
||||
+ |
||||
+ return (ISC_TRUE); |
||||
+} |
||||
+ |
||||
static isc_result_t |
||||
getsection(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx, |
||||
dns_section_t sectionid, unsigned int options) |
||||
@@ -1175,12 +1232,12 @@ getsection(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx, |
||||
best_effort = ISC_TF(options & DNS_MESSAGEPARSE_BESTEFFORT); |
||||
seen_problem = ISC_FALSE; |
||||
|
||||
+ section = &msg->sections[sectionid]; |
||||
+ |
||||
for (count = 0; count < msg->counts[sectionid]; count++) { |
||||
int recstart = source->current; |
||||
isc_boolean_t skip_name_search, skip_type_search; |
||||
|
||||
- section = &msg->sections[sectionid]; |
||||
- |
||||
skip_name_search = ISC_FALSE; |
||||
skip_type_search = ISC_FALSE; |
||||
free_rdataset = ISC_FALSE; |
||||
@@ -1354,7 +1411,7 @@ getsection(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx, |
||||
goto cleanup; |
||||
rdata->rdclass = rdclass; |
||||
issigzero = ISC_FALSE; |
||||
- if (rdtype == dns_rdatatype_rrsig && |
||||
+ if (rdtype == dns_rdatatype_rrsig && |
||||
rdata->flags == 0) { |
||||
covers = dns_rdata_covers(rdata); |
||||
if (covers == 0) |
||||
@@ -1565,6 +1622,19 @@ getsection(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx, |
||||
INSIST(free_rdataset == ISC_FALSE); |
||||
} |
||||
|
||||
+ /* |
||||
+ * If any of DS, NSEC or NSEC3 appeared in the |
||||
+ * authority section of a query response without |
||||
+ * a covering RRSIG, FORMERR |
||||
+ */ |
||||
+ if (sectionid == DNS_SECTION_AUTHORITY && |
||||
+ msg->opcode == dns_opcode_query && |
||||
+ ((msg->flags & DNS_MESSAGEFLAG_QR) != 0) && |
||||
+ ((msg->flags & DNS_MESSAGEFLAG_TC) == 0) && |
||||
+ !preserve_order && |
||||
+ !auth_signed(section)) |
||||
+ DO_FORMERR; |
||||
+ |
||||
if (seen_problem) |
||||
return (DNS_R_RECOVERABLE); |
||||
return (ISC_R_SUCCESS); |
||||
diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c |
||||
index 2bc4461..e5600a3 100644 |
||||
--- a/lib/dns/resolver.c |
||||
+++ b/lib/dns/resolver.c |
||||
@@ -5194,13 +5194,9 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo, |
||||
rdataset->type, |
||||
&noqname); |
||||
if (tresult == ISC_R_SUCCESS && |
||||
- noqname != NULL) { |
||||
- tresult = |
||||
- dns_rdataset_addnoqname( |
||||
+ noqname != NULL) |
||||
+ (void) dns_rdataset_addnoqname( |
||||
rdataset, noqname); |
||||
- RUNTIME_CHECK(tresult == |
||||
- ISC_R_SUCCESS); |
||||
- } |
||||
} |
||||
addedrdataset = ardataset; |
||||
result = dns_db_addrdataset(fctx->cache, node, |
||||
@@ -5330,11 +5326,9 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo, |
||||
tresult = findnoqname(fctx, name, |
||||
rdataset->type, &noqname); |
||||
if (tresult == ISC_R_SUCCESS && |
||||
- noqname != NULL) { |
||||
- tresult = dns_rdataset_addnoqname( |
||||
- rdataset, noqname); |
||||
- RUNTIME_CHECK(tresult == ISC_R_SUCCESS); |
||||
- } |
||||
+ noqname != NULL) |
||||
+ (void) dns_rdataset_addnoqname( |
||||
+ rdataset, noqname); |
||||
} |
||||
|
||||
/* |
@ -0,0 +1,193 @@
@@ -0,0 +1,193 @@
|
||||
From f05af77f32742b8e601d766e1f2fe6a480c7e735 Mon Sep 17 00:00:00 2001 |
||||
From: rpm-build <rpm-build> |
||||
Date: Wed, 8 Feb 2017 12:23:20 +0100 |
||||
Subject: [PATCH] 4557. [security] Combining dns64 and rpz can result in |
||||
dereferencing a NULL pointer (read). (CVE-2017-3135) |
||||
[RT#44434] |
||||
|
||||
--- |
||||
bin/named/query.c | 59 +++++++++++++++++++++++++----------------------------- |
||||
lib/dns/message.c | 6 +++--- |
||||
lib/dns/rdataset.c | 1 + |
||||
3 files changed, 31 insertions(+), 35 deletions(-) |
||||
|
||||
diff --git a/bin/named/query.c b/bin/named/query.c |
||||
index 1975dfc..f60078b 100644 |
||||
--- a/bin/named/query.c |
||||
+++ b/bin/named/query.c |
||||
@@ -5591,9 +5591,10 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) |
||||
dns_rpz_st_t *rpz_st; |
||||
isc_boolean_t resuming; |
||||
int line = -1; |
||||
- isc_boolean_t dns64_exclude, dns64; |
||||
+ isc_boolean_t dns64_exclude, dns64, rpz; |
||||
dns_clientinfomethods_t cm; |
||||
dns_clientinfo_t ci; |
||||
+ dns_name_t *rpzqname; |
||||
|
||||
CTRACE("query_find"); |
||||
|
||||
@@ -5619,7 +5620,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) |
||||
zone = NULL; |
||||
need_wildcardproof = ISC_FALSE; |
||||
empty_wild = ISC_FALSE; |
||||
- dns64_exclude = dns64 = ISC_FALSE; |
||||
+ dns64_exclude = dns64 = rpz = ISC_FALSE; |
||||
options = 0; |
||||
resuming = ISC_FALSE; |
||||
is_zone = ISC_FALSE; |
||||
@@ -5736,6 +5737,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) |
||||
authoritative = ISC_FALSE; |
||||
version = NULL; |
||||
need_wildcardproof = ISC_FALSE; |
||||
+ rpz = ISC_FALSE; |
||||
|
||||
if (client->view->checknames && |
||||
!dns_rdata_checkowner(client->query.qname, |
||||
@@ -5860,11 +5862,29 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) |
||||
} |
||||
|
||||
/* |
||||
- * Now look for an answer in the database. |
||||
+ * Now look for an answer in the database. If this is a dns64 |
||||
+ * AAAA lookup on a rpz database adjust the qname. |
||||
*/ |
||||
- result = dns_db_findext(db, client->query.qname, version, type, |
||||
+ if (dns64 && rpz) |
||||
+ rpzqname = client->query.rpz_st->qname; |
||||
+ else |
||||
+ rpzqname = client->query.qname; |
||||
+ |
||||
+ result = dns_db_findext(db, rpzqname, version, type, |
||||
client->query.dboptions, client->now, |
||||
&node, fname, &cm, &ci, rdataset, sigrdataset); |
||||
+ /* |
||||
+ * Fixup fname and sigrdataset. |
||||
+ */ |
||||
+ if (dns64 && rpz) { |
||||
+ isc_result_t rresult; |
||||
+ |
||||
+ rresult = dns_name_copy(client->query.qname, fname, NULL); |
||||
+ RUNTIME_CHECK(rresult == ISC_R_SUCCESS); |
||||
+ if (sigrdataset != NULL && |
||||
+ dns_rdataset_isassociated(sigrdataset)) |
||||
+ dns_rdataset_disassociate(sigrdataset); |
||||
+ } |
||||
|
||||
resume: |
||||
CTRACE("query_find: resume"); |
||||
@@ -6067,9 +6087,11 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) |
||||
switch (rpz_st->m.policy) { |
||||
case DNS_RPZ_POLICY_NXDOMAIN: |
||||
result = DNS_R_NXDOMAIN; |
||||
+ rpz = ISC_TRUE; |
||||
break; |
||||
case DNS_RPZ_POLICY_NODATA: |
||||
result = DNS_R_NXRRSET; |
||||
+ rpz = ISC_TRUE; |
||||
break; |
||||
case DNS_RPZ_POLICY_RECORD: |
||||
result = rpz_st->m.result; |
||||
@@ -6089,6 +6111,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) |
||||
rdataset->ttl = ISC_MIN(rdataset->ttl, |
||||
rpz_st->m.ttl); |
||||
} |
||||
+ rpz = ISC_TRUE; |
||||
break; |
||||
case DNS_RPZ_POLICY_WILDCNAME: |
||||
result = dns_rdataset_first(rdataset); |
||||
@@ -6130,7 +6153,6 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) |
||||
client->attributes &= ~(NS_CLIENTATTR_WANTDNSSEC | |
||||
DNS_MESSAGEFLAG_AD); |
||||
query_putrdataset(client, &sigrdataset); |
||||
- rpz_st->q.is_zone = is_zone; |
||||
is_zone = ISC_TRUE; |
||||
rpz_log_rewrite(client, ISC_FALSE, rpz_st->m.policy, |
||||
rpz_st->m.type, zone, rpz_st->qname); |
||||
@@ -6509,15 +6531,6 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) |
||||
rdataset = NULL; |
||||
sigrdataset = NULL; |
||||
type = qtype = dns_rdatatype_a; |
||||
- rpz_st = client->query.rpz_st; |
||||
- if (rpz_st != NULL) { |
||||
- /* |
||||
- * Arrange for RPZ rewriting of any A records. |
||||
- */ |
||||
- if ((rpz_st->state & DNS_RPZ_REWRITTEN) != 0) |
||||
- is_zone = rpz_st->q.is_zone; |
||||
- rpz_st_clear(client); |
||||
- } |
||||
dns64 = ISC_TRUE; |
||||
goto db_find; |
||||
} |
||||
@@ -6786,15 +6799,6 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) |
||||
sigrdataset = NULL; |
||||
fname = NULL; |
||||
type = qtype = dns_rdatatype_a; |
||||
- rpz_st = client->query.rpz_st; |
||||
- if (rpz_st != NULL) { |
||||
- /* |
||||
- * Arrange for RPZ rewriting of any A records. |
||||
- */ |
||||
- if ((rpz_st->state & DNS_RPZ_REWRITTEN) != 0) |
||||
- is_zone = rpz_st->q.is_zone; |
||||
- rpz_st_clear(client); |
||||
- } |
||||
dns64 = ISC_TRUE; |
||||
goto db_find; |
||||
} |
||||
@@ -7296,15 +7300,6 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) |
||||
rdataset = NULL; |
||||
sigrdataset = NULL; |
||||
type = qtype = dns_rdatatype_a; |
||||
- rpz_st = client->query.rpz_st; |
||||
- if (rpz_st != NULL) { |
||||
- /* |
||||
- * Arrange for RPZ rewriting of any A records. |
||||
- */ |
||||
- if ((rpz_st->state & DNS_RPZ_REWRITTEN) != 0) |
||||
- is_zone = rpz_st->q.is_zone; |
||||
- rpz_st_clear(client); |
||||
- } |
||||
dns64_exclude = dns64 = ISC_TRUE; |
||||
goto db_find; |
||||
} |
||||
diff --git a/lib/dns/message.c b/lib/dns/message.c |
||||
index 884107e..1417067 100644 |
||||
--- a/lib/dns/message.c |
||||
+++ b/lib/dns/message.c |
||||
@@ -1234,8 +1234,8 @@ getsection(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx, |
||||
{ |
||||
isc_region_t r; |
||||
unsigned int count, rdatalen; |
||||
- dns_name_t *name; |
||||
- dns_name_t *name2; |
||||
+ dns_name_t *name = NULL; |
||||
+ dns_name_t *name2 = NULL; |
||||
dns_offsets_t *offsets; |
||||
dns_rdataset_t *rdataset; |
||||
dns_rdatalist_t *rdatalist; |
||||
@@ -1245,7 +1245,7 @@ getsection(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx, |
||||
dns_rdata_t *rdata; |
||||
dns_ttl_t ttl; |
||||
dns_namelist_t *section; |
||||
- isc_boolean_t free_name, free_rdataset; |
||||
+ isc_boolean_t free_name = ISC_FALSE, free_rdataset = ISC_FALSE; |
||||
isc_boolean_t preserve_order, best_effort, seen_problem; |
||||
isc_boolean_t issigzero; |
||||
|
||||
diff --git a/lib/dns/rdataset.c b/lib/dns/rdataset.c |
||||
index 026d771..483ddfb 100644 |
||||
--- a/lib/dns/rdataset.c |
||||
+++ b/lib/dns/rdataset.c |
||||
@@ -336,6 +336,7 @@ towiresorted(dns_rdataset_t *rdataset, const dns_name_t *owner_name, |
||||
*/ |
||||
|
||||
REQUIRE(DNS_RDATASET_VALID(rdataset)); |
||||
+ REQUIRE(rdataset->methods != NULL); |
||||
REQUIRE(countp != NULL); |
||||
REQUIRE((order == NULL) == (order_arg == NULL)); |
||||
REQUIRE(cctx != NULL && cctx->mctx != NULL); |
||||
-- |
||||
2.9.3 |
||||
|
@ -0,0 +1,26 @@
@@ -0,0 +1,26 @@
|
||||
From d4d151cf34fab415e2823deada3433df7f475c71 Mon Sep 17 00:00:00 2001 |
||||
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com> |
||||
Date: Tue, 11 Apr 2017 16:19:08 +0200 |
||||
Subject: [PATCH 1/3] 4575. [security] DNS64 with "break-dnssec yes;" |
||||
can result in an assertion failure. (CVE-2017-3136) |
||||
[RT #44653] |
||||
|
||||
--- |
||||
bin/named/query.c | 1 + |
||||
1 file changed, 1 insertion(+) |
||||
|
||||
diff --git a/bin/named/query.c b/bin/named/query.c |
||||
index f60078b..6e988f5 100644 |
||||
--- a/bin/named/query.c |
||||
+++ b/bin/named/query.c |
||||
@@ -7324,6 +7324,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) |
||||
result = query_dns64(client, &fname, rdataset, |
||||
sigrdataset, dbuf, |
||||
DNS_SECTION_ANSWER); |
||||
+ noqname = NULL; |
||||
dns_rdataset_disassociate(rdataset); |
||||
dns_message_puttemprdataset(client->message, &rdataset); |
||||
if (result == ISC_R_NOMORE) { |
||||
-- |
||||
2.9.3 |
||||
|
File diff suppressed because it is too large
Load Diff
@ -0,0 +1,497 @@
@@ -0,0 +1,497 @@
|
||||
diff --git a/lib/dns/dnssec.c b/lib/dns/dnssec.c |
||||
index 00a0080..336c4da 100644 |
||||
--- a/lib/dns/dnssec.c |
||||
+++ b/lib/dns/dnssec.c |
||||
@@ -982,6 +982,8 @@ dns_dnssec_verifymessage(isc_buffer_t *source, dns_message_t *msg, |
||||
mctx = msg->mctx; |
||||
|
||||
msg->verify_attempted = 1; |
||||
+ msg->verified_sig = 0; |
||||
+ msg->sig0status = dns_tsigerror_badsig; |
||||
|
||||
if (is_response(msg)) { |
||||
if (msg->query.base == NULL) |
||||
@@ -1076,6 +1078,7 @@ dns_dnssec_verifymessage(isc_buffer_t *source, dns_message_t *msg, |
||||
} |
||||
|
||||
msg->verified_sig = 1; |
||||
+ msg->sig0status = dns_rcode_noerror; |
||||
|
||||
dst_context_destroy(&ctx); |
||||
dns_rdata_freestruct(&sig); |
||||
diff --git a/lib/dns/message.c b/lib/dns/message.c |
||||
index 1417067..0621175 100644 |
||||
--- a/lib/dns/message.c |
||||
+++ b/lib/dns/message.c |
||||
@@ -3052,12 +3052,19 @@ dns_message_signer(dns_message_t *msg, dns_name_t *signer) { |
||||
|
||||
result = dns_rdata_tostruct(&rdata, &tsig, NULL); |
||||
INSIST(result == ISC_R_SUCCESS); |
||||
- if (msg->tsigstatus != dns_rcode_noerror) |
||||
+ if (msg->verified_sig && |
||||
+ msg->tsigstatus == dns_rcode_noerror && |
||||
+ tsig.error == dns_rcode_noerror) |
||||
+ { |
||||
+ result = ISC_R_SUCCESS; |
||||
+ } else if ((!msg->verified_sig) || |
||||
+ (msg->tsigstatus != dns_rcode_noerror)) |
||||
+ { |
||||
result = DNS_R_TSIGVERIFYFAILURE; |
||||
- else if (tsig.error != dns_rcode_noerror) |
||||
+ } else { |
||||
+ INSIST(tsig.error != dns_rcode_noerror); |
||||
result = DNS_R_TSIGERRORSET; |
||||
- else |
||||
- result = ISC_R_SUCCESS; |
||||
+ } |
||||
dns_rdata_freestruct(&tsig); |
||||
|
||||
if (msg->tsigkey == NULL) { |
||||
diff --git a/lib/dns/tsig.c b/lib/dns/tsig.c |
||||
index 3239bff..7b91d1e 100644 |
||||
--- a/lib/dns/tsig.c |
||||
+++ b/lib/dns/tsig.c |
||||
@@ -941,11 +941,20 @@ dns_tsig_sign(dns_message_t *msg) { |
||||
isc_buffer_putuint48(&otherbuf, tsig.timesigned); |
||||
} |
||||
|
||||
- if (key->key != NULL && tsig.error != dns_tsigerror_badsig) { |
||||
+ if ((key->key != NULL) && |
||||
+ (tsig.error != dns_tsigerror_badsig) && |
||||
+ (tsig.error != dns_tsigerror_badkey)) |
||||
+ { |
||||
unsigned char header[DNS_MESSAGE_HEADERLEN]; |
||||
isc_buffer_t headerbuf; |
||||
isc_uint16_t digestbits; |
||||
|
||||
+ /* |
||||
+ * If it is a response, we assume that the request MAC |
||||
+ * has validated at this point. This is why we include a |
||||
+ * MAC length > 0 in the reply. |
||||
+ */ |
||||
+ |
||||
ret = dst_context_create3(key->key, mctx, |
||||
DNS_LOGCATEGORY_DNSSEC, |
||||
ISC_TRUE, &ctx); |
||||
@@ -953,7 +962,7 @@ dns_tsig_sign(dns_message_t *msg) { |
||||
return (ret); |
||||
|
||||
/* |
||||
- * If this is a response, digest the query signature. |
||||
+ * If this is a response, digest the request's MAC. |
||||
*/ |
||||
if (response) { |
||||
dns_rdata_t querytsigrdata = DNS_RDATA_INIT; |
||||
@@ -1083,6 +1092,17 @@ dns_tsig_sign(dns_message_t *msg) { |
||||
dst_context_destroy(&ctx); |
||||
digestbits = dst_key_getbits(key->key); |
||||
if (digestbits != 0) { |
||||
+ /* |
||||
+ * XXXRAY: Is this correct? What is the |
||||
+ * expected behavior when digestbits is not an |
||||
+ * integral multiple of 8? It looks like bytes |
||||
+ * should either be (digestbits/8) or |
||||
+ * (digestbits+7)/8. |
||||
+ * |
||||
+ * In any case, for current algorithms, |
||||
+ * digestbits are an integral multiple of 8, so |
||||
+ * it has the same effect as (digestbits/8). |
||||
+ */ |
||||
unsigned int bytes = (digestbits + 1) / 8; |
||||
if (response && bytes < querytsig.siglen) |
||||
bytes = querytsig.siglen; |
||||
@@ -1196,6 +1216,8 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg, |
||||
REQUIRE(tsigkey == NULL || VALID_TSIG_KEY(tsigkey)); |
||||
|
||||
msg->verify_attempted = 1; |
||||
+ msg->verified_sig = 0; |
||||
+ msg->tsigstatus = dns_tsigerror_badsig; |
||||
|
||||
if (msg->tcp_continuation) { |
||||
if (tsigkey == NULL || msg->querytsig == NULL) |
||||
@@ -1294,19 +1316,6 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg, |
||||
key = tsigkey->key; |
||||
|
||||
/* |
||||
- * Is the time ok? |
||||
- */ |
||||
- if (now + msg->timeadjust > tsig.timesigned + tsig.fudge) { |
||||
- msg->tsigstatus = dns_tsigerror_badtime; |
||||
- tsig_log(msg->tsigkey, 2, "signature has expired"); |
||||
- return (DNS_R_CLOCKSKEW); |
||||
- } else if (now + msg->timeadjust < tsig.timesigned - tsig.fudge) { |
||||
- msg->tsigstatus = dns_tsigerror_badtime; |
||||
- tsig_log(msg->tsigkey, 2, "signature is in the future"); |
||||
- return (DNS_R_CLOCKSKEW); |
||||
- } |
||||
- |
||||
- /* |
||||
* Check digest length. |
||||
*/ |
||||
alg = dst_key_alg(key); |
||||
@@ -1315,31 +1324,19 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg, |
||||
return (ret); |
||||
if (alg == DST_ALG_HMACMD5 || alg == DST_ALG_HMACSHA1 || |
||||
alg == DST_ALG_HMACSHA224 || alg == DST_ALG_HMACSHA256 || |
||||
- alg == DST_ALG_HMACSHA384 || alg == DST_ALG_HMACSHA512) { |
||||
- isc_uint16_t digestbits = dst_key_getbits(key); |
||||
+ alg == DST_ALG_HMACSHA384 || alg == DST_ALG_HMACSHA512) |
||||
+ { |
||||
if (tsig.siglen > siglen) { |
||||
- tsig_log(msg->tsigkey, 2, "signature length to big"); |
||||
+ tsig_log(msg->tsigkey, 2, "signature length too big"); |
||||
return (DNS_R_FORMERR); |
||||
} |
||||
if (tsig.siglen > 0 && |
||||
- (tsig.siglen < 10 || tsig.siglen < ((siglen + 1) / 2))) { |
||||
+ (tsig.siglen < 10 || tsig.siglen < ((siglen + 1) / 2))) |
||||
+ { |
||||
tsig_log(msg->tsigkey, 2, |
||||
"signature length below minimum"); |
||||
return (DNS_R_FORMERR); |
||||
} |
||||
- if (tsig.siglen > 0 && digestbits != 0 && |
||||
- tsig.siglen < ((digestbits + 1) / 8)) { |
||||
- msg->tsigstatus = dns_tsigerror_badtrunc; |
||||
- tsig_log(msg->tsigkey, 2, |
||||
- "truncated signature length too small"); |
||||
- return (DNS_R_TSIGVERIFYFAILURE); |
||||
- } |
||||
- if (tsig.siglen > 0 && digestbits == 0 && |
||||
- tsig.siglen < siglen) { |
||||
- msg->tsigstatus = dns_tsigerror_badtrunc; |
||||
- tsig_log(msg->tsigkey, 2, "signature length too small"); |
||||
- return (DNS_R_TSIGVERIFYFAILURE); |
||||
- } |
||||
} |
||||
|
||||
if (tsig.siglen > 0) { |
||||
@@ -1451,34 +1448,92 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg, |
||||
|
||||
ret = dst_context_verify(ctx, &sig_r); |
||||
if (ret == DST_R_VERIFYFAILURE) { |
||||
- msg->tsigstatus = dns_tsigerror_badsig; |
||||
ret = DNS_R_TSIGVERIFYFAILURE; |
||||
tsig_log(msg->tsigkey, 2, |
||||
"signature failed to verify(1)"); |
||||
goto cleanup_context; |
||||
- } else if (ret != ISC_R_SUCCESS) |
||||
+ } else if (ret != ISC_R_SUCCESS) { |
||||
goto cleanup_context; |
||||
- |
||||
- dst_context_destroy(&ctx); |
||||
+ } |
||||
} else if (tsig.error != dns_tsigerror_badsig && |
||||
tsig.error != dns_tsigerror_badkey) { |
||||
- msg->tsigstatus = dns_tsigerror_badsig; |
||||
tsig_log(msg->tsigkey, 2, "signature was empty"); |
||||
return (DNS_R_TSIGVERIFYFAILURE); |
||||
} |
||||
|
||||
- msg->tsigstatus = dns_rcode_noerror; |
||||
+ /* |
||||
+ * Here at this point, the MAC has been verified. Even if any of |
||||
+ * the following code returns a TSIG error, the reply will be |
||||
+ * signed and WILL always include the request MAC in the digest |
||||
+ * computation. |
||||
+ */ |
||||
+ |
||||
+ /* |
||||
+ * Is the time ok? |
||||
+ */ |
||||
+ if (now + msg->timeadjust > tsig.timesigned + tsig.fudge) { |
||||
+ msg->tsigstatus = dns_tsigerror_badtime; |
||||
+ tsig_log(msg->tsigkey, 2, "signature has expired"); |
||||
+ ret = DNS_R_CLOCKSKEW; |
||||
+ goto cleanup_context; |
||||
+ } else if (now + msg->timeadjust < tsig.timesigned - tsig.fudge) { |
||||
+ msg->tsigstatus = dns_tsigerror_badtime; |
||||
+ tsig_log(msg->tsigkey, 2, "signature is in the future"); |
||||
+ ret = DNS_R_CLOCKSKEW; |
||||
+ goto cleanup_context; |
||||
+ } |
||||
+ |
||||
+ if ( |
||||
+#ifndef PK11_MD5_DISABLE |
||||
+ alg == DST_ALG_HMACMD5 || |
||||
+#endif |
||||
+ alg == DST_ALG_HMACSHA1 || |
||||
+ alg == DST_ALG_HMACSHA224 || alg == DST_ALG_HMACSHA256 || |
||||
+ alg == DST_ALG_HMACSHA384 || alg == DST_ALG_HMACSHA512) |
||||
+ { |
||||
+ isc_uint16_t digestbits = dst_key_getbits(key); |
||||
+ |
||||
+ /* |
||||
+ * XXXRAY: Is this correct? What is the expected |
||||
+ * behavior when digestbits is not an integral multiple |
||||
+ * of 8? It looks like bytes should either be |
||||
+ * (digestbits/8) or (digestbits+7)/8. |
||||
+ * |
||||
+ * In any case, for current algorithms, digestbits are |
||||
+ * an integral multiple of 8, so it has the same effect |
||||
+ * as (digestbits/8). |
||||
+ */ |
||||
+ if (tsig.siglen > 0 && digestbits != 0 && |
||||
+ tsig.siglen < ((digestbits + 1) / 8)) |
||||
+ { |
||||
+ msg->tsigstatus = dns_tsigerror_badtrunc; |
||||
+ tsig_log(msg->tsigkey, 2, |
||||
+ "truncated signature length too small"); |
||||
+ ret = DNS_R_TSIGVERIFYFAILURE; |
||||
+ goto cleanup_context; |
||||
+ } |
||||
+ if (tsig.siglen > 0 && digestbits == 0 && |
||||
+ tsig.siglen < siglen) |
||||
+ { |
||||
+ msg->tsigstatus = dns_tsigerror_badtrunc; |
||||
+ tsig_log(msg->tsigkey, 2, "signature length too small"); |
||||
+ ret = DNS_R_TSIGVERIFYFAILURE; |
||||
+ goto cleanup_context; |
||||
+ } |
||||
+ } |
||||
|
||||
if (tsig.error != dns_rcode_noerror) { |
||||
+ msg->tsigstatus = tsig.error; |
||||
if (tsig.error == dns_tsigerror_badtime) |
||||
- return (DNS_R_CLOCKSKEW); |
||||
+ ret = DNS_R_CLOCKSKEW; |
||||
else |
||||
- return (DNS_R_TSIGERRORSET); |
||||
+ ret = DNS_R_TSIGERRORSET; |
||||
+ goto cleanup_context; |
||||
} |
||||
|
||||
+ msg->tsigstatus = dns_rcode_noerror; |
||||
msg->verified_sig = 1; |
||||
- |
||||
- return (ISC_R_SUCCESS); |
||||
+ ret = ISC_R_SUCCESS; |
||||
|
||||
cleanup_context: |
||||
if (ctx != NULL) |
||||
@@ -1503,6 +1558,8 @@ tsig_verify_tcp(isc_buffer_t *source, dns_message_t *msg) { |
||||
isc_uint16_t addcount, id; |
||||
isc_boolean_t has_tsig = ISC_FALSE; |
||||
isc_mem_t *mctx; |
||||
+ unsigned int siglen; |
||||
+ unsigned int alg; |
||||
|
||||
REQUIRE(source != NULL); |
||||
REQUIRE(msg != NULL); |
||||
@@ -1510,12 +1567,16 @@ tsig_verify_tcp(isc_buffer_t *source, dns_message_t *msg) { |
||||
REQUIRE(msg->tcp_continuation == 1); |
||||
REQUIRE(msg->querytsig != NULL); |
||||
|
||||
+ msg->verified_sig = 0; |
||||
+ msg->tsigstatus = dns_tsigerror_badsig; |
||||
+ |
||||
if (!is_response(msg)) |
||||
return (DNS_R_EXPECTEDRESPONSE); |
||||
|
||||
mctx = msg->mctx; |
||||
|
||||
tsigkey = dns_message_gettsigkey(msg); |
||||
+ key = tsigkey->key; |
||||
|
||||
/* |
||||
* Extract and parse the previous TSIG |
||||
@@ -1548,7 +1609,8 @@ tsig_verify_tcp(isc_buffer_t *source, dns_message_t *msg) { |
||||
* Do the key name and algorithm match that of the query? |
||||
*/ |
||||
if (!dns_name_equal(keyname, &tsigkey->name) || |
||||
- !dns_name_equal(&tsig.algorithm, &querytsig.algorithm)) { |
||||
+ !dns_name_equal(&tsig.algorithm, &querytsig.algorithm)) |
||||
+ { |
||||
msg->tsigstatus = dns_tsigerror_badkey; |
||||
ret = DNS_R_TSIGVERIFYFAILURE; |
||||
tsig_log(msg->tsigkey, 2, |
||||
@@ -1557,27 +1619,40 @@ tsig_verify_tcp(isc_buffer_t *source, dns_message_t *msg) { |
||||
} |
||||
|
||||
/* |
||||
- * Is the time ok? |
||||
+ * Check digest length. |
||||
*/ |
||||
- isc_stdtime_get(&now); |
||||
- |
||||
- if (now + msg->timeadjust > tsig.timesigned + tsig.fudge) { |
||||
- msg->tsigstatus = dns_tsigerror_badtime; |
||||
- tsig_log(msg->tsigkey, 2, "signature has expired"); |
||||
- ret = DNS_R_CLOCKSKEW; |
||||
- goto cleanup_querystruct; |
||||
- } else if (now + msg->timeadjust < |
||||
- tsig.timesigned - tsig.fudge) { |
||||
- msg->tsigstatus = dns_tsigerror_badtime; |
||||
- tsig_log(msg->tsigkey, 2, |
||||
- "signature is in the future"); |
||||
- ret = DNS_R_CLOCKSKEW; |
||||
+ alg = dst_key_alg(key); |
||||
+ ret = dst_key_sigsize(key, &siglen); |
||||
+ if (ret != ISC_R_SUCCESS) |
||||
goto cleanup_querystruct; |
||||
+ if ( |
||||
+#ifndef PK11_MD5_DISABLE |
||||
+ alg == DST_ALG_HMACMD5 || |
||||
+#endif |
||||
+ alg == DST_ALG_HMACSHA1 || |
||||
+ alg == DST_ALG_HMACSHA224 || |
||||
+ alg == DST_ALG_HMACSHA256 || |
||||
+ alg == DST_ALG_HMACSHA384 || |
||||
+ alg == DST_ALG_HMACSHA512) |
||||
+ { |
||||
+ if (tsig.siglen > siglen) { |
||||
+ tsig_log(tsigkey, 2, |
||||
+ "signature length too big"); |
||||
+ ret = DNS_R_FORMERR; |
||||
+ goto cleanup_querystruct; |
||||
+ } |
||||
+ if (tsig.siglen > 0 && |
||||
+ (tsig.siglen < 10 || |
||||
+ tsig.siglen < ((siglen + 1) / 2))) |
||||
+ { |
||||
+ tsig_log(tsigkey, 2, |
||||
+ "signature length below minimum"); |
||||
+ ret = DNS_R_FORMERR; |
||||
+ goto cleanup_querystruct; |
||||
+ } |
||||
} |
||||
} |
||||
|
||||
- key = tsigkey->key; |
||||
- |
||||
if (msg->tsigctx == NULL) { |
||||
ret = dst_context_create3(key, mctx, |
||||
DNS_LOGCATEGORY_DNSSEC, |
||||
@@ -1670,10 +1745,12 @@ tsig_verify_tcp(isc_buffer_t *source, dns_message_t *msg) { |
||||
sig_r.length = tsig.siglen; |
||||
if (tsig.siglen == 0) { |
||||
if (tsig.error != dns_rcode_noerror) { |
||||
- if (tsig.error == dns_tsigerror_badtime) |
||||
+ msg->tsigstatus = tsig.error; |
||||
+ if (tsig.error == dns_tsigerror_badtime) { |
||||
ret = DNS_R_CLOCKSKEW; |
||||
- else |
||||
+ } else { |
||||
ret = DNS_R_TSIGERRORSET; |
||||
+ } |
||||
} else { |
||||
tsig_log(msg->tsigkey, 2, |
||||
"signature is empty"); |
||||
@@ -1684,29 +1761,111 @@ tsig_verify_tcp(isc_buffer_t *source, dns_message_t *msg) { |
||||
|
||||
ret = dst_context_verify(msg->tsigctx, &sig_r); |
||||
if (ret == DST_R_VERIFYFAILURE) { |
||||
- msg->tsigstatus = dns_tsigerror_badsig; |
||||
tsig_log(msg->tsigkey, 2, |
||||
"signature failed to verify(2)"); |
||||
ret = DNS_R_TSIGVERIFYFAILURE; |
||||
goto cleanup_context; |
||||
+ } else if (ret != ISC_R_SUCCESS) { |
||||
+ goto cleanup_context; |
||||
} |
||||
- else if (ret != ISC_R_SUCCESS) |
||||
+ |
||||
+ /* |
||||
+ * Here at this point, the MAC has been verified. Even |
||||
+ * if any of the following code returns a TSIG error, |
||||
+ * the reply will be signed and WILL always include the |
||||
+ * request MAC in the digest computation. |
||||
+ */ |
||||
+ |
||||
+ /* |
||||
+ * Is the time ok? |
||||
+ */ |
||||
+ isc_stdtime_get(&now); |
||||
+ |
||||
+ if (now + msg->timeadjust > tsig.timesigned + tsig.fudge) { |
||||
+ msg->tsigstatus = dns_tsigerror_badtime; |
||||
+ tsig_log(msg->tsigkey, 2, "signature has expired"); |
||||
+ ret = DNS_R_CLOCKSKEW; |
||||
+ goto cleanup_context; |
||||
+ } else if (now + msg->timeadjust < |
||||
+ tsig.timesigned - tsig.fudge) |
||||
+ { |
||||
+ msg->tsigstatus = dns_tsigerror_badtime; |
||||
+ tsig_log(msg->tsigkey, 2, |
||||
+ "signature is in the future"); |
||||
+ ret = DNS_R_CLOCKSKEW; |
||||
goto cleanup_context; |
||||
+ } |
||||
|
||||
- dst_context_destroy(&msg->tsigctx); |
||||
+ alg = dst_key_alg(key); |
||||
+ ret = dst_key_sigsize(key, &siglen); |
||||
+ if (ret != ISC_R_SUCCESS) |
||||
+ goto cleanup_context; |
||||
+ if ( |
||||
+#ifndef PK11_MD5_DISABLE |
||||
+ alg == DST_ALG_HMACMD5 || |
||||
+#endif |
||||
+ alg == DST_ALG_HMACSHA1 || |
||||
+ alg == DST_ALG_HMACSHA224 || |
||||
+ alg == DST_ALG_HMACSHA256 || |
||||
+ alg == DST_ALG_HMACSHA384 || |
||||
+ alg == DST_ALG_HMACSHA512) |
||||
+ { |
||||
+ isc_uint16_t digestbits = dst_key_getbits(key); |
||||
+ |
||||
+ /* |
||||
+ * XXXRAY: Is this correct? What is the |
||||
+ * expected behavior when digestbits is not an |
||||
+ * integral multiple of 8? It looks like bytes |
||||
+ * should either be (digestbits/8) or |
||||
+ * (digestbits+7)/8. |
||||
+ * |
||||
+ * In any case, for current algorithms, |
||||
+ * digestbits are an integral multiple of 8, so |
||||
+ * it has the same effect as (digestbits/8). |
||||
+ */ |
||||
+ if (tsig.siglen > 0 && digestbits != 0 && |
||||
+ tsig.siglen < ((digestbits + 1) / 8)) |
||||
+ { |
||||
+ msg->tsigstatus = dns_tsigerror_badtrunc; |
||||
+ tsig_log(msg->tsigkey, 2, |
||||
+ "truncated signature length " |
||||
+ "too small"); |
||||
+ ret = DNS_R_TSIGVERIFYFAILURE; |
||||
+ goto cleanup_context; |
||||
+ } |
||||
+ if (tsig.siglen > 0 && digestbits == 0 && |
||||
+ tsig.siglen < siglen) |
||||
+ { |
||||
+ msg->tsigstatus = dns_tsigerror_badtrunc; |
||||
+ tsig_log(msg->tsigkey, 2, |
||||
+ "signature length too small"); |
||||
+ ret = DNS_R_TSIGVERIFYFAILURE; |
||||
+ goto cleanup_context; |
||||
+ } |
||||
+ } |
||||
+ |
||||
+ if (tsig.error != dns_rcode_noerror) { |
||||
+ msg->tsigstatus = tsig.error; |
||||
+ if (tsig.error == dns_tsigerror_badtime) |
||||
+ ret = DNS_R_CLOCKSKEW; |
||||
+ else |
||||
+ ret = DNS_R_TSIGERRORSET; |
||||
+ goto cleanup_context; |
||||
+ } |
||||
} |
||||
|
||||
msg->tsigstatus = dns_rcode_noerror; |
||||
- return (ISC_R_SUCCESS); |
||||
+ msg->verified_sig = 1; |
||||
+ ret = ISC_R_SUCCESS; |
||||
|
||||
cleanup_context: |
||||
- dst_context_destroy(&msg->tsigctx); |
||||
+ if (msg->tsigctx != NULL) |
||||
+ dst_context_destroy(&msg->tsigctx); |
||||
|
||||
cleanup_querystruct: |
||||
dns_rdata_freestruct(&querytsig); |
||||
|
||||
return (ret); |
||||
- |
||||
} |
||||
|
||||
isc_result_t |
@ -0,0 +1,124 @@
@@ -0,0 +1,124 @@
|
||||
From 4d73fed57703f561aefd545eda0f3f2c5e69a547 Mon Sep 17 00:00:00 2001 |
||||
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com> |
||||
Date: Tue, 16 Jan 2018 09:50:45 +0100 |
||||
Subject: [PATCH] 4858. [security] Addresses could be referenced after |
||||
being freed in resolver.c, causing an assertion failure. |
||||
(CVE-2017-3145) [RT #46839] |
||||
|
||||
--- |
||||
lib/dns/resolver.c | 37 +++++++++++++++++++++++-------------- |
||||
1 file changed, 23 insertions(+), 14 deletions(-) |
||||
|
||||
diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c |
||||
index 860a792..619646f 100644 |
||||
--- a/lib/dns/resolver.c |
||||
+++ b/lib/dns/resolver.c |
||||
@@ -751,7 +751,7 @@ fctx_stoptimer(fetchctx_t *fctx) { |
||||
* cannot fail in that case. |
||||
*/ |
||||
result = isc_timer_reset(fctx->timer, isc_timertype_inactive, |
||||
- NULL, NULL, ISC_TRUE); |
||||
+ NULL, NULL, ISC_TRUE); |
||||
if (result != ISC_R_SUCCESS) { |
||||
UNEXPECTED_ERROR(__FILE__, __LINE__, |
||||
"isc_timer_reset(): %s", |
||||
@@ -759,7 +759,6 @@ fctx_stoptimer(fetchctx_t *fctx) { |
||||
} |
||||
} |
||||
|
||||
- |
||||
static inline isc_result_t |
||||
fctx_startidletimer(fetchctx_t *fctx, isc_interval_t *interval) { |
||||
/* |
||||
@@ -992,7 +991,8 @@ fctx_cleanupfinds(fetchctx_t *fctx) { |
||||
|
||||
for (find = ISC_LIST_HEAD(fctx->finds); |
||||
find != NULL; |
||||
- find = next_find) { |
||||
+ find = next_find) |
||||
+ { |
||||
next_find = ISC_LIST_NEXT(find, publink); |
||||
ISC_LIST_UNLINK(fctx->finds, find, publink); |
||||
dns_adb_destroyfind(&find); |
||||
@@ -1008,7 +1008,8 @@ fctx_cleanupaltfinds(fetchctx_t *fctx) { |
||||
|
||||
for (find = ISC_LIST_HEAD(fctx->altfinds); |
||||
find != NULL; |
||||
- find = next_find) { |
||||
+ find = next_find) |
||||
+ { |
||||
next_find = ISC_LIST_NEXT(find, publink); |
||||
ISC_LIST_UNLINK(fctx->altfinds, find, publink); |
||||
dns_adb_destroyfind(&find); |
||||
@@ -1024,7 +1025,8 @@ fctx_cleanupforwaddrs(fetchctx_t *fctx) { |
||||
|
||||
for (addr = ISC_LIST_HEAD(fctx->forwaddrs); |
||||
addr != NULL; |
||||
- addr = next_addr) { |
||||
+ addr = next_addr) |
||||
+ { |
||||
next_addr = ISC_LIST_NEXT(addr, publink); |
||||
ISC_LIST_UNLINK(fctx->forwaddrs, addr, publink); |
||||
dns_adb_freeaddrinfo(fctx->adb, &addr); |
||||
@@ -1039,7 +1041,8 @@ fctx_cleanupaltaddrs(fetchctx_t *fctx) { |
||||
|
||||
for (addr = ISC_LIST_HEAD(fctx->altaddrs); |
||||
addr != NULL; |
||||
- addr = next_addr) { |
||||
+ addr = next_addr) |
||||
+ { |
||||
next_addr = ISC_LIST_NEXT(addr, publink); |
||||
ISC_LIST_UNLINK(fctx->altaddrs, addr, publink); |
||||
dns_adb_freeaddrinfo(fctx->adb, &addr); |
||||
@@ -1047,14 +1050,18 @@ fctx_cleanupaltaddrs(fetchctx_t *fctx) { |
||||
} |
||||
|
||||
static inline void |
||||
-fctx_stopeverything(fetchctx_t *fctx, isc_boolean_t no_response) { |
||||
- FCTXTRACE("stopeverything"); |
||||
+fctx_stopqueries(fetchctx_t *fctx, isc_boolean_t no_response) { |
||||
+ FCTXTRACE("stopqueries"); |
||||
fctx_cancelqueries(fctx, no_response); |
||||
+ fctx_stoptimer(fctx); |
||||
+} |
||||
+ |
||||
+static inline void |
||||
+fctx_cleanupall(fetchctx_t *fctx) { |
||||
fctx_cleanupfinds(fctx); |
||||
fctx_cleanupaltfinds(fctx); |
||||
fctx_cleanupforwaddrs(fctx); |
||||
fctx_cleanupaltaddrs(fctx); |
||||
- fctx_stoptimer(fctx); |
||||
} |
||||
|
||||
static inline void |
||||
@@ -1184,7 +1191,8 @@ fctx_done(fetchctx_t *fctx, isc_result_t result, int line) { |
||||
no_response = ISC_FALSE; |
||||
|
||||
fctx->reason = NULL; |
||||
- fctx_stopeverything(fctx, no_response); |
||||
+ |
||||
+ fctx_stopqueries(fctx, no_response); |
||||
|
||||
LOCK(&res->buckets[fctx->bucketnum].lock); |
||||
|
||||
@@ -3336,11 +3344,12 @@ fctx_doshutdown(isc_task_t *task, isc_event_t *event) { |
||||
dns_resolver_cancelfetch(fctx->nsfetch); |
||||
|
||||
/* |
||||
- * Shut down anything that is still running on behalf of this |
||||
- * fetch. To avoid deadlock with the ADB, we must do this |
||||
- * before we lock the bucket lock. |
||||
+ * Shut down anything still running on behalf of this |
||||
+ * fetch, and clean up finds and addresses. To avoid deadlock |
||||
+ * with the ADB, we must do this before we lock the bucket lock. |
||||
*/ |
||||
- fctx_stopeverything(fctx, ISC_FALSE); |
||||
+ fctx_stopqueries(fctx, ISC_FALSE); |
||||
+ fctx_cleanupall(fctx); |
||||
|
||||
LOCK(&res->buckets[bucketnum].lock); |
||||
|
||||
-- |
||||
2.14.3 |
||||
|
@ -0,0 +1,61 @@
@@ -0,0 +1,61 @@
|
||||
From 18df9e628ea10c7d607f43fcfd935e7924731f24 Mon Sep 17 00:00:00 2001 |
||||
From: Evan Hunt <each@isc.org> |
||||
Date: Mon, 9 Sep 2013 22:12:47 -0700 |
||||
Subject: [PATCH] [master] strdup journal filename |
||||
|
||||
3646. [bug] Journal filename string could be set incorrectly, |
||||
causing garbage in log messages. [RT #34738] |
||||
--- |
||||
lib/dns/journal.c | 12 +++++++++--- |
||||
1 file changed, 9 insertions(+), 3 deletions(-) |
||||
|
||||
diff --git a/lib/dns/journal.c b/lib/dns/journal.c |
||||
index 08aabd5..46a52e1 100644 |
||||
--- a/lib/dns/journal.c |
||||
+++ b/lib/dns/journal.c |
||||
@@ -307,7 +307,7 @@ struct dns_journal { |
||||
unsigned int magic; /*%< JOUR */ |
||||
isc_mem_t *mctx; /*%< Memory context */ |
||||
journal_state_t state; |
||||
- const char *filename; /*%< Journal file name */ |
||||
+ char *filename; /*%< Journal file name */ |
||||
FILE * fp; /*%< File handle */ |
||||
isc_offset_t offset; /*%< Current file offset */ |
||||
journal_header_t header; /*%< In-core journal header */ |
||||
@@ -573,10 +573,13 @@ journal_open(isc_mem_t *mctx, const char *filename, isc_boolean_t write, |
||||
isc_mem_attach(mctx, &j->mctx); |
||||
j->state = JOURNAL_STATE_INVALID; |
||||
j->fp = NULL; |
||||
- j->filename = filename; |
||||
+ j->filename = isc_mem_strdup(mctx, filename); |
||||
j->index = NULL; |
||||
j->rawindex = NULL; |
||||
|
||||
+ if (j->filename == NULL) |
||||
+ FAIL(ISC_R_NOMEMORY); |
||||
+ |
||||
result = isc_stdio_open(j->filename, write ? "rb+" : "rb", &fp); |
||||
|
||||
if (result == ISC_R_FILENOTFOUND) { |
||||
@@ -679,6 +682,8 @@ journal_open(isc_mem_t *mctx, const char *filename, isc_boolean_t write, |
||||
sizeof(journal_rawpos_t)); |
||||
j->index = NULL; |
||||
} |
||||
+ if (j->filename != NULL) |
||||
+ isc_mem_free(j->mctx, j->filename); |
||||
if (j->fp != NULL) |
||||
(void)isc_stdio_close(j->fp); |
||||
isc_mem_putanddetach(&j->mctx, j, sizeof(*j)); |
||||
@@ -1242,7 +1247,8 @@ dns_journal_destroy(dns_journal_t **journalp) { |
||||
isc_mem_put(j->mctx, j->it.target.base, j->it.target.length); |
||||
if (j->it.source.base != NULL) |
||||
isc_mem_put(j->mctx, j->it.source.base, j->it.source.length); |
||||
- |
||||
+ if (j->filename != NULL) |
||||
+ isc_mem_free(j->mctx, j->filename); |
||||
if (j->fp != NULL) |
||||
(void)isc_stdio_close(j->fp); |
||||
j->magic = 0; |
||||
-- |
||||
1.8.3.1 |
||||
|
@ -0,0 +1,213 @@
@@ -0,0 +1,213 @@
|
||||
diff -up bind-9.9.4/bin/dig/dighost.c.send_buffers bind-9.9.4/bin/dig/dighost.c |
||||
--- bind-9.9.4/bin/dig/dighost.c.send_buffers 2013-10-31 14:22:20.296811613 +0100 |
||||
+++ bind-9.9.4/bin/dig/dighost.c 2013-10-31 14:57:00.336400190 +0100 |
||||
@@ -194,6 +194,7 @@ isc_boolean_t validated = ISC_TRUE; |
||||
isc_entropy_t *entp = NULL; |
||||
isc_mempool_t *commctx = NULL; |
||||
isc_boolean_t debugging = ISC_FALSE; |
||||
+isc_boolean_t debugtiming = ISC_FALSE; |
||||
isc_boolean_t memdebugging = ISC_FALSE; |
||||
char *progname = NULL; |
||||
isc_mutex_t lookup_lock; |
||||
@@ -553,6 +554,12 @@ debug(const char *format, ...) { |
||||
|
||||
if (debugging) { |
||||
fflush(stdout); |
||||
+ if (debugtiming) { |
||||
+ struct timeval tv; |
||||
+ (void)gettimeofday(&tv, NULL); |
||||
+ fprintf(stderr, "%ld.%06ld: ", (long)tv.tv_sec, |
||||
+ (long)tv.tv_usec); |
||||
+ } |
||||
va_start(args, format); |
||||
vfprintf(stderr, format, args); |
||||
va_end(args); |
||||
@@ -2416,8 +2423,10 @@ send_done(isc_task_t *_task, isc_event_t |
||||
|
||||
for (b = ISC_LIST_HEAD(sevent->bufferlist); |
||||
b != NULL; |
||||
- b = ISC_LIST_HEAD(sevent->bufferlist)) |
||||
+ b = ISC_LIST_HEAD(sevent->bufferlist)) { |
||||
ISC_LIST_DEQUEUE(sevent->bufferlist, b, link); |
||||
+ isc_mem_free(mctx, b); |
||||
+ } |
||||
|
||||
query = event->ev_arg; |
||||
query->waiting_senddone = ISC_FALSE; |
||||
@@ -2609,6 +2618,17 @@ send_tcp_connect(dig_query_t *query) { |
||||
} |
||||
} |
||||
|
||||
+static isc_buffer_t * |
||||
+clone_buffer(isc_buffer_t *source) { |
||||
+ isc_buffer_t *buffer; |
||||
+ buffer = isc_mem_allocate(mctx, sizeof(*buffer)); |
||||
+ if (buffer == NULL) |
||||
+ fatal("memory allocation failure in %s:%d", |
||||
+ __FILE__, __LINE__); |
||||
+ *buffer = *source; |
||||
+ return (buffer); |
||||
+} |
||||
+ |
||||
/*% |
||||
* Send a UDP packet to the remote nameserver, possible starting the |
||||
* recv action as well. Also make sure that the timer is running and |
||||
@@ -2618,6 +2638,7 @@ static void |
||||
send_udp(dig_query_t *query) { |
||||
dig_lookup_t *l = NULL; |
||||
isc_result_t result; |
||||
+ isc_buffer_t *sendbuf; |
||||
|
||||
debug("send_udp(%p)", query); |
||||
|
||||
@@ -2664,14 +2685,16 @@ send_udp(dig_query_t *query) { |
||||
debug("recvcount=%d", recvcount); |
||||
} |
||||
ISC_LIST_INIT(query->sendlist); |
||||
- ISC_LIST_ENQUEUE(query->sendlist, &query->sendbuf, link); |
||||
+ sendbuf = clone_buffer(&query->sendbuf); |
||||
+ ISC_LIST_ENQUEUE(query->sendlist, sendbuf, link); |
||||
debug("sending a request"); |
||||
TIME_NOW(&query->time_sent); |
||||
INSIST(query->sock != NULL); |
||||
query->waiting_senddone = ISC_TRUE; |
||||
- result = isc_socket_sendtov(query->sock, &query->sendlist, |
||||
- global_task, send_done, query, |
||||
- &query->sockaddr, NULL); |
||||
+ result = isc_socket_sendtov2(query->sock, &query->sendlist, |
||||
+ global_task, send_done, query, |
||||
+ &query->sockaddr, NULL, |
||||
+ ISC_SOCKFLAG_NORETRY); |
||||
check_result(result, "isc_socket_sendtov"); |
||||
sendcount++; |
||||
} |
||||
@@ -2838,6 +2861,7 @@ static void |
||||
launch_next_query(dig_query_t *query, isc_boolean_t include_question) { |
||||
isc_result_t result; |
||||
dig_lookup_t *l; |
||||
+ isc_buffer_t *buffer; |
||||
|
||||
INSIST(!free_now); |
||||
|
||||
@@ -2861,9 +2885,15 @@ launch_next_query(dig_query_t *query, is |
||||
isc_buffer_putuint16(&query->slbuf, (isc_uint16_t) query->sendbuf.used); |
||||
ISC_LIST_INIT(query->sendlist); |
||||
ISC_LINK_INIT(&query->slbuf, link); |
||||
- ISC_LIST_ENQUEUE(query->sendlist, &query->slbuf, link); |
||||
- if (include_question) |
||||
- ISC_LIST_ENQUEUE(query->sendlist, &query->sendbuf, link); |
||||
+ if (!query->first_soa_rcvd) { |
||||
+ buffer = clone_buffer(&query->slbuf); |
||||
+ ISC_LIST_ENQUEUE(query->sendlist, buffer, link); |
||||
+ if (include_question) { |
||||
+ buffer = clone_buffer(&query->sendbuf); |
||||
+ ISC_LIST_ENQUEUE(query->sendlist, buffer, link); |
||||
+ } |
||||
+ } |
||||
+ |
||||
ISC_LINK_INIT(&query->lengthbuf, link); |
||||
ISC_LIST_ENQUEUE(query->lengthlist, &query->lengthbuf, link); |
||||
|
||||
diff -up bind-9.9.4/bin/dig/host.c.send_buffers bind-9.9.4/bin/dig/host.c |
||||
--- bind-9.9.4/bin/dig/host.c.send_buffers 2013-10-31 14:22:20.270811568 +0100 |
||||
+++ bind-9.9.4/bin/dig/host.c 2013-10-31 14:22:20.328811669 +0100 |
||||
@@ -638,6 +638,8 @@ pre_parse_args(int argc, char **argv) { |
||||
case 'w': break; |
||||
case 'C': break; |
||||
case 'D': |
||||
+ if (debugging) |
||||
+ debugtiming = ISC_TRUE; |
||||
debugging = ISC_TRUE; |
||||
break; |
||||
case 'N': break; |
||||
diff -up bind-9.9.4/bin/dig/include/dig/dig.h.send_buffers bind-9.9.4/bin/dig/include/dig/dig.h |
||||
--- bind-9.9.4/bin/dig/include/dig/dig.h.send_buffers 2013-10-31 14:22:20.270811568 +0100 |
||||
+++ bind-9.9.4/bin/dig/include/dig/dig.h 2013-10-31 14:22:20.328811669 +0100 |
||||
@@ -275,7 +275,7 @@ extern isc_boolean_t validated; |
||||
extern isc_taskmgr_t *taskmgr; |
||||
extern isc_task_t *global_task; |
||||
extern isc_boolean_t free_now; |
||||
-extern isc_boolean_t debugging, memdebugging; |
||||
+extern isc_boolean_t debugging, debugtiming, memdebugging; |
||||
|
||||
extern char *progname; |
||||
extern int tries; |
||||
diff -up bind-9.9.4/lib/isc/include/isc/namespace.h.send_buffers bind-9.9.4/lib/isc/include/isc/namespace.h |
||||
--- bind-9.9.4/lib/isc/include/isc/namespace.h.send_buffers 2013-09-05 07:09:08.000000000 +0200 |
||||
+++ bind-9.9.4/lib/isc/include/isc/namespace.h 2013-10-31 14:22:20.328811669 +0100 |
||||
@@ -106,6 +106,7 @@ |
||||
#define isc_socket_sendv isc__socket_sendv |
||||
#define isc_socket_sendtov isc__socket_sendtov |
||||
#define isc_socket_sendto2 isc__socket_sendto2 |
||||
+#define isc_socket_sendtov2 isc__socket_sendtov2 |
||||
#define isc_socket_cleanunix isc__socket_cleanunix |
||||
#define isc_socket_permunix isc__socket_permunix |
||||
#define isc_socket_bind isc__socket_bind |
||||
diff -up bind-9.9.4/lib/isc/include/isc/socket.h.send_buffers bind-9.9.4/lib/isc/include/isc/socket.h |
||||
--- bind-9.9.4/lib/isc/include/isc/socket.h.send_buffers 2013-09-05 07:09:08.000000000 +0200 |
||||
+++ bind-9.9.4/lib/isc/include/isc/socket.h 2013-10-31 14:22:20.328811669 +0100 |
||||
@@ -866,6 +866,11 @@ isc_socket_sendtov(isc_socket_t *sock, i |
||||
isc_task_t *task, isc_taskaction_t action, const void *arg, |
||||
isc_sockaddr_t *address, struct in6_pktinfo *pktinfo); |
||||
isc_result_t |
||||
+isc_socket_sendtov2(isc_socket_t *sock, isc_bufferlist_t *buflist, |
||||
+ isc_task_t *task, isc_taskaction_t action, const void *arg, |
||||
+ isc_sockaddr_t *address, struct in6_pktinfo *pktinfo, |
||||
+ unsigned int flags); |
||||
+isc_result_t |
||||
isc_socket_sendto2(isc_socket_t *sock, isc_region_t *region, |
||||
isc_task_t *task, |
||||
isc_sockaddr_t *address, struct in6_pktinfo *pktinfo, |
||||
diff -up bind-9.9.4/lib/isc/unix/socket.c.send_buffers bind-9.9.4/lib/isc/unix/socket.c |
||||
--- bind-9.9.4/lib/isc/unix/socket.c.send_buffers 2013-10-31 14:22:20.293811608 +0100 |
||||
+++ bind-9.9.4/lib/isc/unix/socket.c 2013-10-31 14:22:20.330811673 +0100 |
||||
@@ -510,6 +510,11 @@ isc__socket_sendtov(isc_socket_t *sock, |
||||
isc_task_t *task, isc_taskaction_t action, const void *arg, |
||||
isc_sockaddr_t *address, struct in6_pktinfo *pktinfo); |
||||
ISC_SOCKETFUNC_SCOPE isc_result_t |
||||
+isc__socket_sendtov2(isc_socket_t *sock, isc_bufferlist_t *buflist, |
||||
+ isc_task_t *task, isc_taskaction_t action, const void *arg, |
||||
+ isc_sockaddr_t *address, struct in6_pktinfo *pktinfo, |
||||
+ unsigned int flags); |
||||
+ISC_SOCKETFUNC_SCOPE isc_result_t |
||||
isc__socket_sendto2(isc_socket_t *sock, isc_region_t *region, |
||||
isc_task_t *task, |
||||
isc_sockaddr_t *address, struct in6_pktinfo *pktinfo, |
||||
@@ -4796,15 +4801,25 @@ ISC_SOCKETFUNC_SCOPE isc_result_t |
||||
isc__socket_sendv(isc_socket_t *sock, isc_bufferlist_t *buflist, |
||||
isc_task_t *task, isc_taskaction_t action, const void *arg) |
||||
{ |
||||
- return (isc__socket_sendtov(sock, buflist, task, action, arg, NULL, |
||||
- NULL)); |
||||
+ return (isc__socket_sendtov2(sock, buflist, task, action, arg, NULL, |
||||
+ NULL, 0)); |
||||
} |
||||
|
||||
ISC_SOCKETFUNC_SCOPE isc_result_t |
||||
-isc__socket_sendtov(isc_socket_t *sock0, isc_bufferlist_t *buflist, |
||||
+isc__socket_sendtov(isc_socket_t *sock, isc_bufferlist_t *buflist, |
||||
isc_task_t *task, isc_taskaction_t action, const void *arg, |
||||
isc_sockaddr_t *address, struct in6_pktinfo *pktinfo) |
||||
{ |
||||
+ return (isc__socket_sendtov2(sock, buflist, task, action, arg, address, |
||||
+ pktinfo, 0)); |
||||
+} |
||||
+ |
||||
+ISC_SOCKETFUNC_SCOPE isc_result_t |
||||
+isc__socket_sendtov2(isc_socket_t *sock0, isc_bufferlist_t *buflist, |
||||
+ isc_task_t *task, isc_taskaction_t action, const void *arg, |
||||
+ isc_sockaddr_t *address, struct in6_pktinfo *pktinfo, |
||||
+ unsigned int flags) |
||||
+{ |
||||
isc__socket_t *sock = (isc__socket_t *)sock0; |
||||
isc_socketevent_t *dev; |
||||
isc__socketmgr_t *manager; |
||||
@@ -4837,7 +4852,7 @@ isc__socket_sendtov(isc_socket_t *sock0, |
||||
buffer = ISC_LIST_HEAD(*buflist); |
||||
} |
||||
|
||||
- return (socket_send(sock, dev, task, address, pktinfo, 0)); |
||||
+ return (socket_send(sock, dev, task, address, pktinfo, flags)); |
||||
} |
||||
|
||||
ISC_SOCKETFUNC_SCOPE isc_result_t |
@ -0,0 +1,31 @@
@@ -0,0 +1,31 @@
|
||||
diff --git a/bin/nsupdate/nsupdate.c b/bin/nsupdate/nsupdate.c |
||||
index 486c102..dc12a85 100644 |
||||
--- a/bin/nsupdate/nsupdate.c |
||||
+++ b/bin/nsupdate/nsupdate.c |
||||
@@ -1566,16 +1566,20 @@ evaluate_realm(char *cmdline) { |
||||
#ifdef GSSAPI |
||||
char *word; |
||||
char buf[1024]; |
||||
+ int n; |
||||
|
||||
- word = nsu_strsep(&cmdline, " \t\r\n"); |
||||
- if (word == NULL || *word == 0) { |
||||
- if (realm != NULL) |
||||
- isc_mem_free(mctx, realm); |
||||
+ if (realm != NULL) { |
||||
+ isc_mem_free(mctx, realm); |
||||
realm = NULL; |
||||
- return (STATUS_MORE); |
||||
} |
||||
|
||||
- snprintf(buf, sizeof(buf), "@%s", word); |
||||
+ word = nsu_strsep(&cmdline, " \t\r\n"); |
||||
+ if (word == NULL || *word == 0) |
||||
+ return (STATUS_MORE); |
||||
+ |
||||
+ n = snprintf(buf, sizeof(buf), "@%s", word); |
||||
+ if (n < 0 || (size_t)n >= sizeof(buf)) |
||||
+ fatal("realm is too long"); |
||||
realm = isc_mem_strdup(mctx, buf); |
||||
if (realm == NULL) |
||||
fatal("out of memory"); |
@ -0,0 +1,42 @@
@@ -0,0 +1,42 @@
|
||||
commit 3a2ea636103eaf40404fb82f228605d384c36434 |
||||
Author: Mark Andrews <marka@isc.org> |
||||
Date: Tue Dec 17 09:08:59 2013 +1100 |
||||
|
||||
3692. [bug] Two calls to dns_db_getoriginnode were fatal if there |
||||
was no data at the node. [RT #35080] |
||||
|
||||
(cherry picked from commit 161e803a5608956271d8120be37a1b383d14b647) |
||||
|
||||
diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c |
||||
index 2dd4aa0..941b77e 100644 |
||||
--- a/lib/dns/rbtdb.c |
||||
+++ b/lib/dns/rbtdb.c |
||||
@@ -1638,8 +1638,11 @@ decrement_reference(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node, |
||||
|
||||
nodelock = &rbtdb->node_locks[bucket]; |
||||
|
||||
+#define KEEP_NODE(n, r) \ |
||||
+ ((n)->data != NULL || (n)->down != NULL || (n) == (r)->origin_node) |
||||
+ |
||||
/* Handle easy and typical case first. */ |
||||
- if (!node->dirty && (node->data != NULL || node->down != NULL)) { |
||||
+ if (!node->dirty && KEEP_NODE(node, rbtdb)) { |
||||
dns_rbtnode_refdecrement(node, &nrefs); |
||||
INSIST((int)nrefs >= 0); |
||||
if (nrefs == 0) { |
||||
@@ -1708,12 +1711,11 @@ decrement_reference(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node, |
||||
isc_refcount_decrement(&nodelock->references, &refs); |
||||
INSIST((int)refs >= 0); |
||||
|
||||
- /* |
||||
- * XXXDCL should this only be done for cache zones? |
||||
- */ |
||||
- if (node->data != NULL || node->down != NULL) |
||||
+ if (KEEP_NODE(node, rbtdb)) |
||||
goto restore_locks; |
||||
|
||||
+#undef KEEP_NODE |
||||
+ |
||||
if (write_locked) { |
||||
/* |
||||
* We can now delete the node. |
@ -0,0 +1,685 @@
@@ -0,0 +1,685 @@
|
||||
From 5013230b31da1d94ce5682e5c5c38011da744971 Mon Sep 17 00:00:00 2001 |
||||
From: Tomas Hozza <thozza@redhat.com> |
||||
Date: Wed, 11 May 2016 15:17:55 +0200 |
||||
Subject: [PATCH] Added support for automatic interface scan when new address |
||||
is assigned to any interface |
||||
|
||||
Signed-off-by: Tomas Hozza <thozza@redhat.com> |
||||
--- |
||||
bin/named/config.c | 1 + |
||||
bin/named/control.c | 3 + |
||||
bin/named/include/named/control.h | 1 + |
||||
bin/named/include/named/server.h | 8 +++ |
||||
bin/named/interfacemgr.c | 144 ++++++++++++++++++++++++++++++++++++++ |
||||
bin/named/named.conf.docbook | 1 + |
||||
bin/named/server.c | 31 +++++++- |
||||
bin/named/statschannel.c | 5 ++ |
||||
bin/rndc/rndc.c | 1 + |
||||
bin/rndc/rndc.docbook | 12 ++++ |
||||
config.h.in | 12 ++++ |
||||
configure.in | 5 +- |
||||
doc/arm/Bv9ARM-book.xml | 22 +++++- |
||||
lib/isc/include/isc/socket.h | 10 ++- |
||||
lib/isc/unix/socket.c | 59 ++++++++++++++++ |
||||
lib/isccfg/namedconf.c | 1 + |
||||
16 files changed, 310 insertions(+), 6 deletions(-) |
||||
|
||||
diff --git a/bin/named/config.c b/bin/named/config.c |
||||
index f6d0263..b43c0fc 100644 |
||||
--- a/bin/named/config.c |
||||
+++ b/bin/named/config.c |
||||
@@ -52,6 +52,7 @@ |
||||
/*% default configuration */ |
||||
static char defaultconf[] = "\ |
||||
options {\n\ |
||||
+ automatic-interface-scan yes;\n\ |
||||
# blackhole {none;};\n" |
||||
#ifndef WIN32 |
||||
" coresize default;\n\ |
||||
diff --git a/bin/named/control.c b/bin/named/control.c |
||||
index 06eadce..86fa691 100644 |
||||
--- a/bin/named/control.c |
||||
+++ b/bin/named/control.c |
||||
@@ -185,6 +185,9 @@ ns_control_docommand(isccc_sexpr_t *message, isc_buffer_t *text) { |
||||
command_compare(command, NS_COMMAND_THAW)) { |
||||
result = ns_server_freeze(ns_g_server, ISC_FALSE, command, |
||||
text); |
||||
+ } else if (command_compare(command, NS_COMMAND_SCAN)) { |
||||
+ result = ISC_R_SUCCESS; |
||||
+ ns_server_scan_interfaces(ns_g_server); |
||||
} else if (command_compare(command, NS_COMMAND_SYNC)) { |
||||
result = ns_server_sync(ns_g_server, command, text); |
||||
} else if (command_compare(command, NS_COMMAND_RECURSING)) { |
||||
diff --git a/bin/named/include/named/control.h b/bin/named/include/named/control.h |
||||
index d730a83..52ed583 100644 |
||||
--- a/bin/named/include/named/control.h |
||||
+++ b/bin/named/include/named/control.h |
||||
@@ -59,6 +59,7 @@ |
||||
#define NS_COMMAND_NULL "null" |
||||
#define NS_COMMAND_NOTIFY "notify" |
||||
#define NS_COMMAND_VALIDATION "validation" |
||||
+#define NS_COMMAND_SCAN "scan" |
||||
#define NS_COMMAND_SIGN "sign" |
||||
#define NS_COMMAND_LOADKEYS "loadkeys" |
||||
#define NS_COMMAND_ADDZONE "addzone" |
||||
diff --git a/bin/named/include/named/server.h b/bin/named/include/named/server.h |
||||
index ff0bfd3..83622f4 100644 |
||||
--- a/bin/named/include/named/server.h |
||||
+++ b/bin/named/include/named/server.h |
||||
@@ -37,6 +37,7 @@ |
||||
#define NS_EVENTCLASS ISC_EVENTCLASS(0x4E43) |
||||
#define NS_EVENT_RELOAD (NS_EVENTCLASS + 0) |
||||
#define NS_EVENT_CLIENTCONTROL (NS_EVENTCLASS + 1) |
||||
+#define NS_EVENT_IFSCAN (NS_EVENTCLASS + 2) |
||||
|
||||
/*% |
||||
* Name server state. Better here than in lots of separate global variables. |
||||
@@ -114,6 +115,7 @@ struct ns_server { |
||||
dns_name_t *session_keyname; |
||||
unsigned int session_keyalg; |
||||
isc_uint16_t session_keybits; |
||||
+ isc_boolean_t interface_auto; |
||||
}; |
||||
|
||||
#define NS_SERVER_MAGIC ISC_MAGIC('S','V','E','R') |
||||
@@ -201,6 +203,12 @@ ns_server_reloadwanted(ns_server_t *server); |
||||
*/ |
||||
|
||||
void |
||||
+ns_server_scan_interfaces(ns_server_t *server); |
||||
+/*%< |
||||
+ * Trigger a interface scan. |
||||
+ */ |
||||
+ |
||||
+void |
||||
ns_server_flushonshutdown(ns_server_t *server, isc_boolean_t flush); |
||||
/*%< |
||||
* Inform the server that the zones should be flushed to disk on shutdown. |
||||
diff --git a/bin/named/interfacemgr.c b/bin/named/interfacemgr.c |
||||
index 4f6b0f3..a9aa4a4 100644 |
||||
--- a/bin/named/interfacemgr.c |
||||
+++ b/bin/named/interfacemgr.c |
||||
@@ -33,6 +33,28 @@ |
||||
#include <named/client.h> |
||||
#include <named/log.h> |
||||
#include <named/interfacemgr.h> |
||||
+#include <named/server.h> |
||||
+ |
||||
+#ifdef HAVE_NET_ROUTE_H |
||||
+#include <net/route.h> |
||||
+#if defined(RTM_VERSION) && defined(RTM_NEWADDR) && defined(RTM_DELADDR) |
||||
+#define USE_ROUTE_SOCKET 1 |
||||
+#define ROUTE_SOCKET_PROTOCOL PF_ROUTE |
||||
+#define MSGHDR rt_msghdr |
||||
+#define MSGTYPE rtm_type |
||||
+#endif |
||||
+#endif |
||||
+ |
||||
+#if defined(HAVE_LINUX_NETLINK_H) && defined(HAVE_LINUX_RTNETLINK_H) |
||||
+#include <linux/netlink.h> |
||||
+#include <linux/rtnetlink.h> |
||||
+#if defined(RTM_NEWADDR) && defined(RTM_DELADDR) |
||||
+#define USE_ROUTE_SOCKET 1 |
||||
+#define ROUTE_SOCKET_PROTOCOL PF_NETLINK |
||||
+#define MSGHDR nlmsghdr |
||||
+#define MSGTYPE nlmsg_type |
||||
+#endif |
||||
+#endif |
||||
|
||||
#define IFMGR_MAGIC ISC_MAGIC('I', 'F', 'M', 'G') |
||||
#define NS_INTERFACEMGR_VALID(t) ISC_MAGIC_VALID(t, IFMGR_MAGIC) |
||||
@@ -55,6 +77,11 @@ struct ns_interfacemgr { |
||||
dns_aclenv_t aclenv; /*%< Localhost/localnets ACLs */ |
||||
ISC_LIST(ns_interface_t) interfaces; /*%< List of interfaces. */ |
||||
ISC_LIST(isc_sockaddr_t) listenon; |
||||
+#ifdef USE_ROUTE_SOCKET |
||||
+ isc_task_t * task; |
||||
+ isc_socket_t * route; |
||||
+ unsigned char buf[2048]; |
||||
+#endif |
||||
}; |
||||
|
||||
static void |
||||
@@ -63,6 +90,71 @@ purge_old_interfaces(ns_interfacemgr_t *mgr); |
||||
static void |
||||
clearlistenon(ns_interfacemgr_t *mgr); |
||||
|
||||
+#ifdef USE_ROUTE_SOCKET |
||||
+static void |
||||
+route_event(isc_task_t *task, isc_event_t *event) { |
||||
+ isc_socketevent_t *sevent = NULL; |
||||
+ ns_interfacemgr_t *mgr = NULL; |
||||
+ isc_region_t r; |
||||
+ isc_result_t result; |
||||
+ struct MSGHDR *rtm; |
||||
+ |
||||
+ UNUSED(task); |
||||
+ |
||||
+ REQUIRE(event->ev_type == ISC_SOCKEVENT_RECVDONE); |
||||
+ mgr = event->ev_arg; |
||||
+ sevent = (isc_socketevent_t *)event; |
||||
+ |
||||
+ if (sevent->result != ISC_R_SUCCESS) { |
||||
+ if (sevent->result != ISC_R_CANCELED) |
||||
+ isc_log_write(IFMGR_COMMON_LOGARGS, ISC_LOG_ERROR, |
||||
+ "automatic interface scanning " |
||||
+ "terminated: %s", |
||||
+ isc_result_totext(sevent->result)); |
||||
+ ns_interfacemgr_detach(&mgr); |
||||
+ isc_event_free(&event); |
||||
+ return; |
||||
+ } |
||||
+ |
||||
+ rtm = (struct MSGHDR *)mgr->buf; |
||||
+#ifdef RTM_VERSION |
||||
+ if (rtm->rtm_version != RTM_VERSION) { |
||||
+ isc_log_write(IFMGR_COMMON_LOGARGS, ISC_LOG_ERROR, |
||||
+ "automatic interface rescanning disabled: " |
||||
+ "rtm->rtm_version mismatch (%u != %u) " |
||||
+ "recompile required", rtm->rtm_version, |
||||
+ RTM_VERSION); |
||||
+ isc_task_detach(&mgr->task); |
||||
+ isc_socket_detach(&mgr->route); |
||||
+ ns_interfacemgr_detach(&mgr); |
||||
+ isc_event_free(&event); |
||||
+ return; |
||||
+ } |
||||
+#endif |
||||
+ |
||||
+ switch (rtm->MSGTYPE) { |
||||
+ case RTM_NEWADDR: |
||||
+ case RTM_DELADDR: |
||||
+ if (ns_g_server->interface_auto) |
||||
+ ns_server_scan_interfaces(ns_g_server); |
||||
+ break; |
||||
+ default: |
||||
+ break; |
||||
+ } |
||||
+ |
||||
+ /* |
||||
+ * Look for next route event. |
||||
+ */ |
||||
+ r.base = mgr->buf; |
||||
+ r.length = sizeof(mgr->buf); |
||||
+ result = isc_socket_recv(mgr->route, &r, 1, mgr->task, |
||||
+ route_event, mgr); |
||||
+ if (result != ISC_R_SUCCESS) |
||||
+ ns_interfacemgr_detach(&mgr); |
||||
+ isc_event_free(&event); |
||||
+} |
||||
+#endif |
||||
+ |
||||
isc_result_t |
||||
ns_interfacemgr_create(isc_mem_t *mctx, isc_taskmgr_t *taskmgr, |
||||
isc_socketmgr_t *socketmgr, |
||||
@@ -112,11 +204,52 @@ ns_interfacemgr_create(isc_mem_t *mctx, isc_taskmgr_t *taskmgr, |
||||
mgr->aclenv.geoip = ns_g_geoip; |
||||
#endif |
||||
|
||||
+#ifdef USE_ROUTE_SOCKET |
||||
+ mgr->route = NULL; |
||||
+ result = isc_socket_create(mgr->socketmgr, ROUTE_SOCKET_PROTOCOL, |
||||
+ isc_sockettype_raw, &mgr->route); |
||||
+ switch (result) { |
||||
+ case ISC_R_NOPERM: |
||||
+ case ISC_R_SUCCESS: |
||||
+ case ISC_R_NOTIMPLEMENTED: |
||||
+ case ISC_R_FAMILYNOSUPPORT: |
||||
+ break; |
||||
+ default: |
||||
+ goto cleanup_aclenv; |
||||
+ } |
||||
+ |
||||
+ mgr->task = NULL; |
||||
+ if (mgr->route != NULL) { |
||||
+ result = isc_task_create(taskmgr, 0, &mgr->task); |
||||
+ if (result != ISC_R_SUCCESS) |
||||
+ goto cleanup_route; |
||||
+ } |
||||
+ mgr->references = (mgr->route != NULL) ? 2 : 1; |
||||
+#else |
||||
mgr->references = 1; |
||||
+#endif |
||||
mgr->magic = IFMGR_MAGIC; |
||||
*mgrp = mgr; |
||||
+ |
||||
+#ifdef USE_ROUTE_SOCKET |
||||
+ if (mgr->route != NULL) { |
||||
+ isc_region_t r = { mgr->buf, sizeof(mgr->buf) }; |
||||
+ |
||||
+ result = isc_socket_recv(mgr->route, &r, 1, mgr->task, |
||||
+ route_event, mgr); |
||||
+ if (result != ISC_R_SUCCESS) |
||||
+ ns_interfacemgr_detach(&mgr); |
||||
+ } |
||||
+#endif |
||||
return (ISC_R_SUCCESS); |
||||
|
||||
+#ifdef USE_ROUTE_SOCKET |
||||
+ cleanup_route: |
||||
+ if (mgr->route != NULL) |
||||
+ isc_socket_detach(&mgr->route); |
||||
+ cleanup_aclenv: |
||||
+ dns_aclenv_destroy(&mgr->aclenv); |
||||
+#endif |
||||
cleanup_listenon: |
||||
ns_listenlist_detach(&mgr->listenon4); |
||||
ns_listenlist_detach(&mgr->listenon6); |
||||
@@ -128,6 +261,13 @@ ns_interfacemgr_create(isc_mem_t *mctx, isc_taskmgr_t *taskmgr, |
||||
static void |
||||
ns_interfacemgr_destroy(ns_interfacemgr_t *mgr) { |
||||
REQUIRE(NS_INTERFACEMGR_VALID(mgr)); |
||||
+ |
||||
+#ifdef USE_ROUTE_SOCKET |
||||
+ if (mgr->route != NULL) |
||||
+ isc_socket_detach(&mgr->route); |
||||
+ if (mgr->task != NULL) |
||||
+ isc_task_detach(&mgr->task); |
||||
+#endif |
||||
dns_aclenv_destroy(&mgr->aclenv); |
||||
ns_listenlist_detach(&mgr->listenon4); |
||||
ns_listenlist_detach(&mgr->listenon6); |
||||
@@ -179,6 +319,10 @@ ns_interfacemgr_shutdown(ns_interfacemgr_t *mgr) { |
||||
* consider all interfaces "old". |
||||
*/ |
||||
mgr->generation++; |
||||
+#ifdef USE_ROUTE_SOCKET |
||||
+ if (mgr->route != NULL) |
||||
+ isc_socket_cancel(mgr->route, mgr->task, ISC_SOCKCANCEL_RECV); |
||||
+#endif |
||||
purge_old_interfaces(mgr); |
||||
} |
||||
|
||||
diff --git a/bin/named/named.conf.docbook b/bin/named/named.conf.docbook |
||||
index 8c23e52..a8cd31e 100644 |
||||
--- a/bin/named/named.conf.docbook |
||||
+++ b/bin/named/named.conf.docbook |
||||
@@ -373,6 +373,7 @@ options { |
||||
zero-no-soa-ttl <replaceable>boolean</replaceable>; |
||||
zero-no-soa-ttl-cache <replaceable>boolean</replaceable>; |
||||
dnssec-secure-to-insecure <replaceable>boolean</replaceable>; |
||||
+ automatic-interface-scan <replaceable>boolean</replaceable>; |
||||
deny-answer-addresses { |
||||
<replaceable>address_match_list</replaceable> |
||||
} <optional> except-from { <replaceable>namelist</replaceable> } </optional>; |
||||
diff --git a/bin/named/server.c b/bin/named/server.c |
||||
index 24b31c3..942bab6 100644 |
||||
--- a/bin/named/server.c |
||||
+++ b/bin/named/server.c |
||||
@@ -4485,8 +4485,9 @@ adjust_interfaces(ns_server_t *server, isc_mem_t *mctx) { |
||||
} |
||||
|
||||
/* |
||||
- * This event callback is invoked to do periodic network |
||||
- * interface scanning. |
||||
+ * This event callback is invoked to do periodic network interface |
||||
+ * scanning. It is also called by ns_server_scan_interfaces(), |
||||
+ * invoked by "rndc scan" |
||||
*/ |
||||
static void |
||||
interface_timer_tick(isc_task_t *task, isc_event_t *event) { |
||||
@@ -4494,7 +4495,14 @@ interface_timer_tick(isc_task_t *task, isc_event_t *event) { |
||||
ns_server_t *server = (ns_server_t *) event->ev_arg; |
||||
INSIST(task == server->task); |
||||
UNUSED(task); |
||||
+ |
||||
+ if (event->ev_type == NS_EVENT_IFSCAN) |
||||
+ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, |
||||
+ NS_LOGMODULE_SERVER, ISC_LOG_DEBUG(1), |
||||
+ "automatic interface rescan"); |
||||
+ |
||||
isc_event_free(&event); |
||||
+ |
||||
/* |
||||
* XXX should scan interfaces unlocked and get exclusive access |
||||
* only to replace ACLs. |
||||
@@ -5419,6 +5427,14 @@ load_configuration(const char *filename, ns_server_t *server, |
||||
server->interface_interval = interface_interval; |
||||
|
||||
/* |
||||
+ * Enable automatic interface scans. |
||||
+ */ |
||||
+ obj = NULL; |
||||
+ result = ns_config_get(maps, "automatic-interface-scan", &obj); |
||||
+ INSIST(result == ISC_R_SUCCESS); |
||||
+ server->interface_auto = cfg_obj_asboolean(obj); |
||||
+ |
||||
+ /* |
||||
* Configure the dialup heartbeat timer. |
||||
*/ |
||||
obj = NULL; |
||||
@@ -6637,6 +6653,17 @@ ns_server_reloadwanted(ns_server_t *server) { |
||||
UNLOCK(&server->reload_event_lock); |
||||
} |
||||
|
||||
+void |
||||
+ns_server_scan_interfaces(ns_server_t *server) { |
||||
+ isc_event_t *event; |
||||
+ |
||||
+ event = isc_event_allocate(ns_g_mctx, server, NS_EVENT_IFSCAN, |
||||
+ interface_timer_tick, server, |
||||
+ sizeof(isc_event_t)); |
||||
+ if (event != NULL) |
||||
+ isc_task_send(server->task, &event); |
||||
+} |
||||
+ |
||||
static char * |
||||
next_token(char **stringp, const char *delim) { |
||||
char *res; |
||||
diff --git a/bin/named/statschannel.c b/bin/named/statschannel.c |
||||
index 37e98a8..b985f62 100644 |
||||
--- a/bin/named/statschannel.c |
||||
+++ b/bin/named/statschannel.c |
||||
@@ -341,6 +341,7 @@ init_desc(void) { |
||||
SET_SOCKSTATDESC(tcp4open, "TCP/IPv4 sockets opened", "TCP4Open"); |
||||
SET_SOCKSTATDESC(tcp6open, "TCP/IPv6 sockets opened", "TCP6Open"); |
||||
SET_SOCKSTATDESC(unixopen, "Unix domain sockets opened", "UnixOpen"); |
||||
+ SET_SOCKSTATDESC(rawopen, "Raw sockets opened", "RawOpen"); |
||||
SET_SOCKSTATDESC(udp4openfail, "UDP/IPv4 socket open failures", |
||||
"UDP4OpenFail"); |
||||
SET_SOCKSTATDESC(udp6openfail, "UDP/IPv6 socket open failures", |
||||
@@ -351,6 +352,8 @@ init_desc(void) { |
||||
"TCP6OpenFail"); |
||||
SET_SOCKSTATDESC(unixopenfail, "Unix domain socket open failures", |
||||
"UnixOpenFail"); |
||||
+ SET_SOCKSTATDESC(rawopenfail, "Raw socket open failures", |
||||
+ "RawOpenFail"); |
||||
SET_SOCKSTATDESC(udp4close, "UDP/IPv4 sockets closed", "UDP4Close"); |
||||
SET_SOCKSTATDESC(udp6close, "UDP/IPv6 sockets closed", "UDP6Close"); |
||||
SET_SOCKSTATDESC(tcp4close, "TCP/IPv4 sockets closed", "TCP4Close"); |
||||
@@ -358,6 +361,7 @@ init_desc(void) { |
||||
SET_SOCKSTATDESC(unixclose, "Unix domain sockets closed", "UnixClose"); |
||||
SET_SOCKSTATDESC(fdwatchclose, "FDwatch sockets closed", |
||||
"FDWatchClose"); |
||||
+ SET_SOCKSTATDESC(rawclose, "Raw sockets closed", "RawClose"); |
||||
SET_SOCKSTATDESC(udp4bindfail, "UDP/IPv4 socket bind failures", |
||||
"UDP4BindFail"); |
||||
SET_SOCKSTATDESC(udp6bindfail, "UDP/IPv6 socket bind failures", |
||||
@@ -424,6 +428,7 @@ init_desc(void) { |
||||
"UnixRecvErr"); |
||||
SET_SOCKSTATDESC(fdwatchrecvfail, "FDwatch recv errors", |
||||
"FDwatchRecvErr"); |
||||
+ SET_SOCKSTATDESC(rawrecvfail, "Raw recv errors", "RawRecvErr"); |
||||
INSIST(i == isc_sockstatscounter_max); |
||||
|
||||
/* Initialize DNSSEC statistics */ |
||||
diff --git a/bin/rndc/rndc.c b/bin/rndc/rndc.c |
||||
index 9a007e2..be198b1 100644 |
||||
--- a/bin/rndc/rndc.c |
||||
+++ b/bin/rndc/rndc.c |
||||
@@ -160,6 +160,7 @@ command is one of the following:\n\ |
||||
Add zone to given view. Requires new-zone-file option.\n\ |
||||
delzone [\"file\"] zone [class [view]]\n\ |
||||
Removes zone from given view. Requires new-zone-file option.\n\ |
||||
+ scan Scan available network interfaces for changes.\n\ |
||||
signing -list zone [class [view]]\n\ |
||||
List the private records showing the state of DNSSEC\n\ |
||||
signing in the given zone.\n\ |
||||
diff --git a/bin/rndc/rndc.docbook b/bin/rndc/rndc.docbook |
||||
index 1789aaa..5b37b7f 100644 |
||||
--- a/bin/rndc/rndc.docbook |
||||
+++ b/bin/rndc/rndc.docbook |
||||
@@ -330,6 +330,18 @@ |
||||
</varlistentry> |
||||
|
||||
<varlistentry> |
||||
+ <term><userinput>scan</userinput></term> |
||||
+ <listitem> |
||||
+ <para> |
||||
+ Scan the list of available network interfaces |
||||
+ for changes, without performing a full |
||||
+ <command>reconfig</command> or waiting for the |
||||
+ <command>interface-interval</command> timer. |
||||
+ </para> |
||||
+ </listitem> |
||||
+ </varlistentry> |
||||
+ |
||||
+ <varlistentry> |
||||
<term><userinput>sync <optional>-clean</optional> <optional><replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></optional></userinput></term> |
||||
<listitem> |
||||
<para> |
||||
diff --git a/config.h.in b/config.h.in |
||||
index 6ed8381..3515f69 100644 |
||||
--- a/config.h.in |
||||
+++ b/config.h.in |
||||
@@ -280,6 +280,12 @@ int sigwait(const unsigned int *set, int *sig); |
||||
/* Define to 1 if you have the <linux/capability.h> header file. */ |
||||
#undef HAVE_LINUX_CAPABILITY_H |
||||
|
||||
+/* Define to 1 if you have the <linux/netlink.h> header file. */ |
||||
+#undef HAVE_LINUX_NETLINK_H |
||||
+ |
||||
+/* Define to 1 if you have the <linux/rtnetlink.h> header file. */ |
||||
+#undef HAVE_LINUX_RTNETLINK_H |
||||
+ |
||||
/* Define to 1 if you have the <linux/types.h> header file. */ |
||||
#undef HAVE_LINUX_TYPES_H |
||||
|
||||
@@ -295,6 +301,9 @@ int sigwait(const unsigned int *set, int *sig); |
||||
/* Define to 1 if you have the <net/if6.h> header file. */ |
||||
#undef HAVE_NET_IF6_H |
||||
|
||||
+/* Define to 1 if you have the <net/route.h> header file. */ |
||||
+#undef HAVE_NET_ROUTE_H |
||||
+ |
||||
/* Define if your OpenSSL version supports ECDSA. */ |
||||
#undef HAVE_OPENSSL_ECDSA |
||||
|
||||
@@ -358,6 +367,9 @@ int sigwait(const unsigned int *set, int *sig); |
||||
/* Define to 1 if you have the <sys/select.h> header file. */ |
||||
#undef HAVE_SYS_SELECT_H |
||||
|
||||
+/* Define to 1 if you have the <sys/socket.h> header file. */ |
||||
+#undef HAVE_SYS_SOCKET_H |
||||
+ |
||||
/* Define to 1 if you have the <sys/sockio.h> header file. */ |
||||
#undef HAVE_SYS_SOCKIO_H |
||||
|
||||
diff --git a/configure.in b/configure.in |
||||
index d72093f..38e626d 100644 |
||||
--- a/configure.in |
||||
+++ b/configure.in |
||||
@@ -375,11 +375,14 @@ fi |
||||
|
||||
AC_HEADER_STDC |
||||
|
||||
-AC_CHECK_HEADERS(fcntl.h regex.h sys/time.h unistd.h sys/sockio.h sys/select.h sys/param.h sys/sysctl.h net/if6.h,,, |
||||
+AC_CHECK_HEADERS(fcntl.h regex.h sys/time.h unistd.h sys/sockio.h sys/select.h sys/param.h sys/sysctl.h net/if6.h sys/socket.h net/route.h linux/netlink.h linux/rtnetlink.h,,, |
||||
[$ac_includes_default |
||||
#ifdef HAVE_SYS_PARAM_H |
||||
# include <sys/param.h> |
||||
#endif |
||||
+#ifdef HAVE_SYS_SOCKET_H |
||||
+# include <sys/socket.h> |
||||
+#endif |
||||
]) |
||||
|
||||
AC_C_CONST |
||||
diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml |
||||
index 92c7b72..4c47d92 100644 |
||||
--- a/doc/arm/Bv9ARM-book.xml |
||||
+++ b/doc/arm/Bv9ARM-book.xml |
||||
@@ -4964,7 +4964,9 @@ badresp:1,adberr:0,findfail:0,valfail:0] |
||||
<optional> policy given | disabled | passthru | nxdomain | nodata | cname <replaceable>domain</replaceable> </optional> |
||||
<optional> recursive-only <replaceable>yes_or_no</replaceable> </optional> <optional> max-policy-ttl <replaceable>number</replaceable> </optional> ; |
||||
} <optional> recursive-only <replaceable>yes_or_no</replaceable> </optional> <optional> max-policy-ttl <replaceable>number</replaceable> </optional> |
||||
- <optional> break-dnssec <replaceable>yes_or_no</replaceable> </optional> <optional> min-ns-dots <replaceable>number</replaceable> </optional> ; </optional> |
||||
+ <optional> break-dnssec <replaceable>yes_or_no</replaceable> </optional> <optional> min-ns-dots <replaceable>number</replaceable> </optional> |
||||
+ <optional> automatic-interface-scan <replaceable>yes_or_no</replaceable> </optional> |
||||
+ ; </optional> |
||||
}; |
||||
</programlisting> |
||||
|
||||
@@ -5726,6 +5728,23 @@ options { |
||||
<variablelist> |
||||
|
||||
<varlistentry> |
||||
+ <term><command>automatic-interface-scan</command></term> |
||||
+ <listitem> |
||||
+ <para> |
||||
+ If <userinput>yes</userinput> and supported by the OS, |
||||
+ automatically rescan network interfaces when the interface |
||||
+ addresses are added or removed. The default is |
||||
+ <userinput>yes</userinput>. |
||||
+ </para> |
||||
+ <para> |
||||
+ Currently the OS needs to support routing sockets for |
||||
+ <command>automatic-interface-scan</command> to be |
||||
+ supported. |
||||
+ </para> |
||||
+ </listitem> |
||||
+ </varlistentry> |
||||
+ |
||||
+ <varlistentry> |
||||
<term><command>allow-new-zones</command></term> |
||||
<listitem> |
||||
<para> |
||||
@@ -10494,6 +10513,7 @@ zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replacea |
||||
<optional> allow-query-on { <replaceable>address_match_list</replaceable> }; </optional> |
||||
<optional> allow-transfer { <replaceable>address_match_list</replaceable> }; </optional> |
||||
<optional> allow-update-forwarding { <replaceable>address_match_list</replaceable> }; </optional> |
||||
+ <optional> automatic-interface-scan { <replaceable>yes_or_no</replaceable> }; </optional> |
||||
<optional> dnssec-update-mode ( <replaceable>maintain</replaceable> | <replaceable>no-resign</replaceable> ); </optional> |
||||
<optional> update-check-ksk <replaceable>yes_or_no</replaceable>; </optional> |
||||
<optional> dnssec-dnskey-kskonly <replaceable>yes_or_no</replaceable>; </optional> |
||||
diff --git a/lib/isc/include/isc/socket.h b/lib/isc/include/isc/socket.h |
||||
index c5a753a..1cd90bb 100644 |
||||
--- a/lib/isc/include/isc/socket.h |
||||
+++ b/lib/isc/include/isc/socket.h |
||||
@@ -150,7 +150,12 @@ enum { |
||||
isc_sockstatscounter_unixrecvfail = 50, |
||||
isc_sockstatscounter_fdwatchrecvfail = 51, |
||||
|
||||
- isc_sockstatscounter_max = 52 |
||||
+ isc_sockstatscounter_rawopen = 52, |
||||
+ isc_sockstatscounter_rawopenfail = 53, |
||||
+ isc_sockstatscounter_rawclose = 54, |
||||
+ isc_sockstatscounter_rawrecvfail = 55, |
||||
+ |
||||
+ isc_sockstatscounter_max = 56 |
||||
}; |
||||
|
||||
/*** |
||||
@@ -221,7 +226,8 @@ typedef enum { |
||||
isc_sockettype_udp = 1, |
||||
isc_sockettype_tcp = 2, |
||||
isc_sockettype_unix = 3, |
||||
- isc_sockettype_fdwatch = 4 |
||||
+ isc_sockettype_fdwatch = 4, |
||||
+ isc_sockettype_raw = 5 |
||||
} isc_sockettype_t; |
||||
|
||||
/*@{*/ |
||||
diff --git a/lib/isc/unix/socket.c b/lib/isc/unix/socket.c |
||||
index 82d0d16..cbc506b 100644 |
||||
--- a/lib/isc/unix/socket.c |
||||
+++ b/lib/isc/unix/socket.c |
||||
@@ -28,6 +28,11 @@ |
||||
#include <sys/time.h> |
||||
#include <sys/uio.h> |
||||
|
||||
+#if defined(HAVE_LINUX_NETLINK_H) && defined(HAVE_LINUX_RTNETLINK_H) |
||||
+#include <linux/netlink.h> |
||||
+#include <linux/rtnetlink.h> |
||||
+#endif |
||||
+ |
||||
#include <errno.h> |
||||
#include <fcntl.h> |
||||
#include <stddef.h> |
||||
@@ -708,6 +713,18 @@ static const isc_statscounter_t fdwatchstatsindex[] = { |
||||
isc_sockstatscounter_fdwatchsendfail, |
||||
isc_sockstatscounter_fdwatchrecvfail |
||||
}; |
||||
+static const isc_statscounter_t rawstatsindex[] = { |
||||
+ isc_sockstatscounter_rawopen, |
||||
+ isc_sockstatscounter_rawopenfail, |
||||
+ isc_sockstatscounter_rawclose, |
||||
+ -1, |
||||
+ -1, |
||||
+ -1, |
||||
+ -1, |
||||
+ -1, |
||||
+ -1, |
||||
+ isc_sockstatscounter_rawrecvfail, |
||||
+}; |
||||
|
||||
#if defined(USE_KQUEUE) || defined(USE_EPOLL) || defined(USE_DEVPOLL) || \ |
||||
defined(USE_WATCHER_THREAD) |
||||
@@ -1744,6 +1761,7 @@ doio_recv(isc__socket_t *sock, isc_socketevent_t *dev) { |
||||
return (DOIO_EOF); |
||||
break; |
||||
case isc_sockettype_udp: |
||||
+ case isc_sockettype_raw: |
||||
break; |
||||
case isc_sockettype_fdwatch: |
||||
default: |
||||
@@ -2306,6 +2324,44 @@ opensocket(isc__socketmgr_t *manager, isc__socket_t *sock, |
||||
case isc_sockettype_unix: |
||||
sock->fd = socket(sock->pf, SOCK_STREAM, 0); |
||||
break; |
||||
+ case isc_sockettype_raw: |
||||
+ errno = EPFNOSUPPORT; |
||||
+ /* |
||||
+ * PF_ROUTE is a alias for PF_NETLINK on linux. |
||||
+ */ |
||||
+#if defined(PF_ROUTE) |
||||
+ if (sock->fd == -1 && sock->pf == PF_ROUTE) { |
||||
+#ifdef NETLINK_ROUTE |
||||
+ sock->fd = socket(sock->pf, SOCK_RAW, |
||||
+ NETLINK_ROUTE); |
||||
+#else |
||||
+ sock->fd = socket(sock->pf, SOCK_RAW, 0); |
||||
+#endif |
||||
+ if (sock->fd != -1) { |
||||
+#ifdef NETLINK_ROUTE |
||||
+ struct sockaddr_nl sa; |
||||
+ int n; |
||||
+ |
||||
+ /* |
||||
+ * Do an implicit bind. |
||||
+ */ |
||||
+ memset(&sa, 0, sizeof(sa)); |
||||
+ sa.nl_family = AF_NETLINK; |
||||
+ sa.nl_groups = RTMGRP_IPV4_IFADDR | |
||||
+ RTMGRP_IPV6_IFADDR; |
||||
+ n = bind(sock->fd, |
||||
+ (struct sockaddr *) &sa, |
||||
+ sizeof(sa)); |
||||
+ if (n < 0) { |
||||
+ close(sock->fd); |
||||
+ sock->fd = -1; |
||||
+ } |
||||
+#endif |
||||
+ sock->bound = 1; |
||||
+ } |
||||
+ } |
||||
+ #endif |
||||
+ break; |
||||
case isc_sockettype_fdwatch: |
||||
/* |
||||
* We should not be called for isc_sockettype_fdwatch |
||||
@@ -2602,6 +2658,9 @@ socket_create(isc_socketmgr_t *manager0, int pf, isc_sockettype_t type, |
||||
case isc_sockettype_unix: |
||||
sock->statsindex = unixstatsindex; |
||||
break; |
||||
+ case isc_sockettype_raw: |
||||
+ sock->statsindex = rawstatsindex; |
||||
+ break; |
||||
default: |
||||
INSIST(0); |
||||
} |
||||
diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c |
||||
index f5ff8e3..f49ff70 100644 |
||||
--- a/lib/isccfg/namedconf.c |
||||
+++ b/lib/isccfg/namedconf.c |
||||
@@ -931,6 +931,7 @@ bindkeys_clauses[] = { |
||||
*/ |
||||
static cfg_clausedef_t |
||||
options_clauses[] = { |
||||
+ { "automatic-interface-scan", &cfg_type_boolean, 0 }, |
||||
{ "avoid-v4-udp-ports", &cfg_type_bracketed_portlist, 0 }, |
||||
{ "avoid-v6-udp-ports", &cfg_type_bracketed_portlist, 0 }, |
||||
{ "bindkeys-file", &cfg_type_qstring, 0 }, |
||||
-- |
||||
2.5.5 |
||||
|
@ -0,0 +1,307 @@
@@ -0,0 +1,307 @@
|
||||
From 127701d9d32e568f09c775e722286e9c0b8c72ec Mon Sep 17 00:00:00 2001 |
||||
From: Tomas Hozza <thozza@redhat.com> |
||||
Date: Fri, 22 May 2015 16:56:25 +0200 |
||||
Subject: [PATCH] Fix coverity issues |
||||
|
||||
http://cov01.lab.eng.brq.redhat.com/covscanhub/waiving/9377/ |
||||
Signed-off-by: Tomas Hozza <thozza@redhat.com> |
||||
--- |
||||
bin/named/server.c | 8 +++----- |
||||
lib/dns/dispatch.c | 5 +++-- |
||||
lib/dns/dst_api.c | 6 ++++++ |
||||
lib/dns/gen.c | 16 +++++++++++++++- |
||||
lib/dns/name.c | 8 ++------ |
||||
lib/dns/nsec3.c | 4 ++-- |
||||
lib/dns/rcode.c | 4 +++- |
||||
lib/isc/netaddr.c | 1 + |
||||
lib/isc/pk11.c | 21 ++++++++++++++------- |
||||
9 files changed, 49 insertions(+), 24 deletions(-) |
||||
|
||||
diff --git a/bin/named/server.c b/bin/named/server.c |
||||
index 227c646..5e94660 100644 |
||||
--- a/bin/named/server.c |
||||
+++ b/bin/named/server.c |
||||
@@ -8018,9 +8018,11 @@ ns_server_sync(ns_server_t *server, char *args, isc_buffer_t *text) { |
||||
dns_zone_t *zone = NULL; |
||||
char classstr[DNS_RDATACLASS_FORMATSIZE]; |
||||
char zonename[DNS_NAME_FORMATSIZE]; |
||||
- const char *vname, *sep, *msg = NULL, *arg; |
||||
+ const char *vname, *sep, *arg; |
||||
isc_boolean_t cleanup = ISC_FALSE; |
||||
|
||||
+ UNUSED(text); |
||||
+ |
||||
(void) next_token(&args, " \t"); |
||||
|
||||
arg = next_token(&args, " \t"); |
||||
@@ -8061,10 +8063,6 @@ ns_server_sync(ns_server_t *server, char *args, isc_buffer_t *text) { |
||||
result = synczone(zone, &cleanup); |
||||
isc_task_endexclusive(server->task); |
||||
|
||||
- if (msg != NULL && strlen(msg) < isc_buffer_availablelength(text)) |
||||
- isc_buffer_putmem(text, (const unsigned char *)msg, |
||||
- strlen(msg) + 1); |
||||
- |
||||
view = dns_zone_getview(zone); |
||||
if (strcmp(view->name, "_default") == 0 || |
||||
strcmp(view->name, "_bind") == 0) |
||||
diff --git a/lib/dns/dispatch.c b/lib/dns/dispatch.c |
||||
index 5063914..c93651d 100644 |
||||
--- a/lib/dns/dispatch.c |
||||
+++ b/lib/dns/dispatch.c |
||||
@@ -2278,9 +2278,10 @@ dns_dispatchmgr_setudp(dns_dispatchmgr_t *mgr, |
||||
|
||||
/* Create or adjust socket pool */ |
||||
if (mgr->spool != NULL) { |
||||
- if (maxrequests < DNS_DISPATCH_POOLSOCKS * 2) |
||||
+ if (maxrequests < DNS_DISPATCH_POOLSOCKS * 2) { |
||||
isc_mempool_setmaxalloc(mgr->spool, DNS_DISPATCH_POOLSOCKS * 2); |
||||
isc_mempool_setfreemax(mgr->spool, DNS_DISPATCH_POOLSOCKS * 2); |
||||
+ } |
||||
UNLOCK(&mgr->buffer_lock); |
||||
return (ISC_R_SUCCESS); |
||||
} |
||||
@@ -3765,7 +3766,7 @@ dns_dispatchset_create(isc_mem_t *mctx, isc_socketmgr_t *sockmgr, |
||||
goto fail_alloc; |
||||
|
||||
dset->dispatches = isc_mem_get(mctx, sizeof(dns_dispatch_t *) * n); |
||||
- if (dset == NULL) { |
||||
+ if (dset->dispatches == NULL) { |
||||
result = ISC_R_NOMEMORY; |
||||
goto fail_lock; |
||||
} |
||||
diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c |
||||
index d96473f..e71f202 100644 |
||||
--- a/lib/dns/dst_api.c |
||||
+++ b/lib/dns/dst_api.c |
||||
@@ -1882,6 +1882,9 @@ dst__entropy_getdata(void *buf, unsigned int len, isc_boolean_t pseudo) { |
||||
#ifdef BIND9 |
||||
unsigned int flags = dst_entropy_flags; |
||||
|
||||
+ if (dst_entropy_pool == NULL) |
||||
+ return (ISC_R_FAILURE); |
||||
+ |
||||
if (len == 0) |
||||
return (ISC_R_SUCCESS); |
||||
|
||||
@@ -1914,6 +1917,9 @@ dst__entropy_status(void) { |
||||
unsigned char buf[32]; |
||||
static isc_boolean_t first = ISC_TRUE; |
||||
|
||||
+ if (dst_entropy_pool == NULL) |
||||
+ return (0); |
||||
+ |
||||
if (first) { |
||||
/* Someone believes RAND_status() initializes the PRNG */ |
||||
flags &= ~ISC_ENTROPY_GOODONLY; |
||||
diff --git a/lib/dns/gen.c b/lib/dns/gen.c |
||||
index 6b533dd..548f892 100644 |
||||
--- a/lib/dns/gen.c |
||||
+++ b/lib/dns/gen.c |
||||
@@ -335,10 +335,14 @@ insert_into_typenames(int type, const char *typename, const char *attr) { |
||||
typename); |
||||
exit(1); |
||||
} |
||||
+ |
||||
strncpy(ttn->typename, typename, sizeof(ttn->typename)); |
||||
- ttn->type = type; |
||||
+ ttn->typename[sizeof(ttn->typename) - 1] = '\0'; |
||||
|
||||
strncpy(ttn->macroname, ttn->typename, sizeof(ttn->macroname)); |
||||
+ ttn->macroname[sizeof(ttn->macroname) - 1] = '\0'; |
||||
+ |
||||
+ ttn->type = type; |
||||
c = strlen(ttn->macroname); |
||||
while (c > 0) { |
||||
if (ttn->macroname[c - 1] == '-') |
||||
@@ -364,7 +368,10 @@ insert_into_typenames(int type, const char *typename, const char *attr) { |
||||
attr, typename); |
||||
exit(1); |
||||
} |
||||
+ |
||||
strncpy(ttn->attr, attr, sizeof(ttn->attr)); |
||||
+ ttn->attr[sizeof(ttn->attr) - 1] = '\0'; |
||||
+ |
||||
ttn->sorted = 0; |
||||
if (maxtype < type) |
||||
maxtype = type; |
||||
@@ -393,11 +400,17 @@ add(int rdclass, const char *classname, int type, const char *typename, |
||||
newtt->next = NULL; |
||||
newtt->rdclass = rdclass; |
||||
newtt->type = type; |
||||
+ |
||||
strncpy(newtt->classname, classname, sizeof(newtt->classname)); |
||||
+ newtt->classname[sizeof(newtt->classname) - 1] = '\0'; |
||||
+ |
||||
strncpy(newtt->typename, typename, sizeof(newtt->typename)); |
||||
+ newtt->typename[sizeof(newtt->typename) - 1] = '\0'; |
||||
+ |
||||
if (strncmp(dirname, "./", 2) == 0) |
||||
dirname += 2; |
||||
strncpy(newtt->dirname, dirname, sizeof(newtt->dirname)); |
||||
+ newtt->dirname[sizeof(newtt->dirname) - 1] = '\0'; |
||||
|
||||
tt = types; |
||||
oldtt = NULL; |
||||
@@ -436,6 +449,7 @@ add(int rdclass, const char *classname, int type, const char *typename, |
||||
} |
||||
newcc->rdclass = rdclass; |
||||
strncpy(newcc->classname, classname, sizeof(newcc->classname)); |
||||
+ newcc->classname[sizeof(newcc->classname) - 1] = '\0'; |
||||
cc = classes; |
||||
oldcc = NULL; |
||||
|
||||
diff --git a/lib/dns/name.c b/lib/dns/name.c |
||||
index 4fcabb1..93173ee 100644 |
||||
--- a/lib/dns/name.c |
||||
+++ b/lib/dns/name.c |
||||
@@ -1859,7 +1859,6 @@ dns_name_fromwire(dns_name_t *name, isc_buffer_t *source, |
||||
0) |
||||
return (DNS_R_DISALLOWED); |
||||
new_current = c & 0x3F; |
||||
- n = 1; |
||||
state = fw_newcurrent; |
||||
} else |
||||
return (DNS_R_BADLABELTYPE); |
||||
@@ -1867,8 +1866,6 @@ dns_name_fromwire(dns_name_t *name, isc_buffer_t *source, |
||||
case fw_ordinary: |
||||
if (downcase) |
||||
c = maptolower[c]; |
||||
- /* FALLTHROUGH */ |
||||
- case fw_copy: |
||||
*ndata++ = c; |
||||
n--; |
||||
if (n == 0) |
||||
@@ -1877,9 +1874,6 @@ dns_name_fromwire(dns_name_t *name, isc_buffer_t *source, |
||||
case fw_newcurrent: |
||||
new_current *= 256; |
||||
new_current += c; |
||||
- n--; |
||||
- if (n != 0) |
||||
- break; |
||||
if (new_current >= biggest_pointer) |
||||
return (DNS_R_BADPOINTER); |
||||
biggest_pointer = new_current; |
||||
@@ -2398,6 +2392,8 @@ dns_name_tostring(dns_name_t *name, char **target, isc_mem_t *mctx) { |
||||
|
||||
isc_buffer_usedregion(&buf, ®); |
||||
p = isc_mem_allocate(mctx, reg.length + 1); |
||||
+ if (p == NULL) |
||||
+ return (ISC_R_NOMEMORY); |
||||
memcpy(p, (char *) reg.base, (int) reg.length); |
||||
p[reg.length] = '\0'; |
||||
|
||||
diff --git a/lib/dns/nsec3.c b/lib/dns/nsec3.c |
||||
index 935f515..86fad33 100644 |
||||
--- a/lib/dns/nsec3.c |
||||
+++ b/lib/dns/nsec3.c |
||||
@@ -842,8 +842,8 @@ dns_nsec3_addnsec3(dns_db_t *db, dns_dbversion_t *version, |
||||
dns_db_detachnode(db, &newnode); |
||||
} while (1); |
||||
|
||||
- if (result == ISC_R_NOMORE) |
||||
- result = ISC_R_SUCCESS; |
||||
+ /* result cannot be ISC_R_NOMORE here */ |
||||
+ INSIST(result != ISC_R_NOMORE); |
||||
|
||||
failure: |
||||
if (dbit != NULL) |
||||
diff --git a/lib/dns/rcode.c b/lib/dns/rcode.c |
||||
index 0b7fe8c..091b3c7 100644 |
||||
--- a/lib/dns/rcode.c |
||||
+++ b/lib/dns/rcode.c |
||||
@@ -216,7 +216,9 @@ maybe_numeric(unsigned int *valuep, isc_textregion_t *source, |
||||
* isc_parse_uint32(). isc_parse_uint32() requires |
||||
* null termination, so we must make a copy. |
||||
*/ |
||||
- strncpy(buffer, source->base, NUMBERSIZE); |
||||
+ strncpy(buffer, source->base, sizeof(buffer)); |
||||
+ buffer[sizeof(buffer) - 1] = '\0'; |
||||
+ |
||||
INSIST(buffer[source->length] == '\0'); |
||||
|
||||
result = isc_parse_uint32(&n, buffer, 10); |
||||
diff --git a/lib/isc/netaddr.c b/lib/isc/netaddr.c |
||||
index 5cce1bc..6706542 100644 |
||||
--- a/lib/isc/netaddr.c |
||||
+++ b/lib/isc/netaddr.c |
||||
@@ -235,6 +235,7 @@ isc_netaddr_prefixok(const isc_netaddr_t *na, unsigned int prefixlen) { |
||||
nbytes = prefixlen / 8; |
||||
nbits = prefixlen % 8; |
||||
if (nbits != 0) { |
||||
+ INSIST(nbytes < ipbytes); |
||||
if ((p[nbytes] & (0xff>>nbits)) != 0U) |
||||
return (ISC_R_FAILURE); |
||||
nbytes++; |
||||
diff --git a/lib/isc/pk11.c b/lib/isc/pk11.c |
||||
index 015bff2..de4479b 100644 |
||||
--- a/lib/isc/pk11.c |
||||
+++ b/lib/isc/pk11.c |
||||
@@ -130,7 +130,10 @@ |
||||
#include <pkcs11/cryptoki.h> |
||||
#include <pkcs11/pkcs11.h> |
||||
|
||||
-#define PINLEN 32 |
||||
+/* was 32 octets, Petr Spacek suggested 1024, SoftHSMv2 uses 256... */ |
||||
+#ifndef PINLEN |
||||
+#define PINLEN 256 |
||||
+#endif |
||||
|
||||
#ifndef PK11_NO_LOGERR |
||||
#define PK11_NO_LOGERR 1 |
||||
@@ -163,7 +166,7 @@ struct pk11_token { |
||||
char manuf[32]; |
||||
char model[16]; |
||||
char serial[16]; |
||||
- char pin[PINLEN]; |
||||
+ char pin[PINLEN + 1]; |
||||
}; |
||||
static ISC_LIST(pk11_token_t) tokens; |
||||
|
||||
@@ -498,7 +501,9 @@ pk11_get_session(pk11_context_t *ctx, pk11_optype_t optype, |
||||
|
||||
/* Override the token's PIN */ |
||||
if (logon && pin != NULL && *pin != '\0') { |
||||
- memset(token->pin, 0, PINLEN); |
||||
+ if (strlen(pin) > PINLEN) |
||||
+ return ISC_R_RANGE; |
||||
+ memset(token->pin, 0, PINLEN + 1); |
||||
strncpy(token->pin, pin, PINLEN); |
||||
} |
||||
|
||||
@@ -1099,7 +1104,7 @@ pk11_parse_uri(pk11_object_t *obj, const char *label, |
||||
char *uri, *p, *a, *na, *v; |
||||
size_t len, l; |
||||
FILE *stream = NULL; |
||||
- char pin[PINLEN]; |
||||
+ char pin[PINLEN + 1]; |
||||
isc_boolean_t gotpin = ISC_FALSE; |
||||
isc_result_t ret; |
||||
|
||||
@@ -1207,10 +1212,12 @@ pk11_parse_uri(pk11_object_t *obj, const char *label, |
||||
ret = isc_stdio_open(v, "r", &stream); |
||||
if (ret != ISC_R_SUCCESS) |
||||
goto err; |
||||
- memset(pin, 0, PINLEN); |
||||
- ret = isc_stdio_read(pin, 1, PINLEN - 1, stream, NULL); |
||||
+ memset(pin, 0, PINLEN + 1); |
||||
+ ret = isc_stdio_read(pin, 1, PINLEN + 1, stream, &l); |
||||
if ((ret != ISC_R_SUCCESS) && (ret != ISC_R_EOF)) |
||||
goto err; |
||||
+ if (l > PINLEN) |
||||
+ DST_RET(ISC_R_RANGE); |
||||
ret = isc_stdio_close(stream); |
||||
stream = NULL; |
||||
if (ret != ISC_R_SUCCESS) |
||||
@@ -1238,7 +1245,7 @@ pk11_parse_uri(pk11_object_t *obj, const char *label, |
||||
DST_RET(ISC_R_NOTFOUND); |
||||
obj->slot = token->slotid; |
||||
if (gotpin) { |
||||
- memmove(token->pin, pin, PINLEN); |
||||
+ memmove(token->pin, pin, PINLEN + 1); |
||||
obj->reqlogon = ISC_TRUE; |
||||
} |
||||
|
||||
-- |
||||
2.1.0 |
||||
|
@ -0,0 +1,44 @@
@@ -0,0 +1,44 @@
|
||||
From 1f3ac11cb4ecfab52f517ebf78493b0f05318be2 Mon Sep 17 00:00:00 2001 |
||||
From: Evan Hunt <each@isc.org> |
||||
Date: Mon, 16 Jun 2014 15:31:04 -0700 |
||||
Subject: [PATCH] [v9_9] null terminate strings for coverity |
||||
|
||||
--- |
||||
bin/dig/dig.c | 1 + |
||||
bin/tests/system/dlzexternal/driver.c | 6 ++++++ |
||||
2 files changed, 7 insertions(+) |
||||
|
||||
diff --git a/bin/dig/dig.c b/bin/dig/dig.c |
||||
index 8a5fead..6af0964 100644 |
||||
--- a/bin/dig/dig.c |
||||
+++ b/bin/dig/dig.c |
||||
@@ -1453,6 +1453,7 @@ dash_option(char *option, char *next, dig_lookup_t **lookup, |
||||
ip6_int, ISC_FALSE) == ISC_R_SUCCESS) { |
||||
strncpy((*lookup)->textname, textname, |
||||
sizeof((*lookup)->textname)); |
||||
+ (*lookup)->textname[sizeof((*lookup)->textname)-1] = 0; |
||||
debug("looking up %s", (*lookup)->textname); |
||||
(*lookup)->trace_root = ISC_TF((*lookup)->trace || |
||||
(*lookup)->ns_search_only); |
||||
diff --git a/bin/tests/system/dlzexternal/driver.c b/bin/tests/system/dlzexternal/driver.c |
||||
index 053c25a..f99ac14 100644 |
||||
--- a/bin/tests/system/dlzexternal/driver.c |
||||
+++ b/bin/tests/system/dlzexternal/driver.c |
||||
@@ -133,8 +133,14 @@ add_name(struct dlz_example_data *state, struct record *list, |
||||
return (ISC_R_NOSPACE); |
||||
|
||||
strncpy(list[i].name, name, sizeof(list[i].name)); |
||||
+ list[i].name[sizeof(list[i].name) - 1] = '\0'; |
||||
+ |
||||
strncpy(list[i].type, type, sizeof(list[i].type)); |
||||
+ list[i].type[sizeof(list[i].type) - 1] = '\0'; |
||||
+ |
||||
strncpy(list[i].data, data, sizeof(list[i].data)); |
||||
+ list[i].data[sizeof(list[i].data) - 1] = '\0'; |
||||
+ |
||||
list[i].ttl = ttl; |
||||
|
||||
return (ISC_R_SUCCESS); |
||||
-- |
||||
2.9.3 |
||||
|
@ -0,0 +1,13 @@
@@ -0,0 +1,13 @@
|
||||
diff -up bind-9.9.0b2/lib/dns/include/dns/Makefile.in.forward bind-9.9.0b2/lib/dns/include/dns/Makefile.in |
||||
--- bind-9.9.0b2/lib/dns/include/dns/Makefile.in.forward 2011-12-07 16:17:50.822438237 +0100 |
||||
+++ bind-9.9.0b2/lib/dns/include/dns/Makefile.in 2011-12-07 16:18:00.374455261 +0100 |
||||
@@ -31,7 +31,8 @@ HEADERS = acl.h adb.h byaddr.h cache.h c |
||||
rdataslab.h rdatatype.h request.h resolver.h result.h \ |
||||
rootns.h rpz.h sdb.h sdlz.h secalg.h secproto.h soa.h ssu.h \ |
||||
tcpmsg.h time.h tkey.h tsig.h ttl.h types.h \ |
||||
- validator.h version.h view.h xfrin.h zone.h zonekey.h zt.h |
||||
+ validator.h version.h view.h xfrin.h zone.h zonekey.h zt.h \ |
||||
+ forward.h |
||||
|
||||
GENHEADERS = enumclass.h enumtype.h rdatastruct.h |
||||
|
@ -0,0 +1,14 @@
@@ -0,0 +1,14 @@
|
||||
diff -up bind-9.7.0-P2/bin/dig/dig.docbook.rh811566 bind-9.7.0-P2/bin/dig/dig.docbook |
||||
--- bind-9.7.0-P2/bin/dig/dig.docbook.rh811566 2012-06-20 15:50:03.206839118 +0200 |
||||
+++ bind-9.7.0-P2/bin/dig/dig.docbook 2012-06-20 15:50:28.368558830 +0200 |
||||
@@ -912,8 +912,8 @@ dig +qr www.isc.org any -x 127.0.0.1 isc |
||||
<command>dig</command> appropriately converts character encoding of |
||||
domain name before sending a request to DNS server or displaying a |
||||
reply from the server. |
||||
- If you'd like to turn off the IDN support for some reason, defines |
||||
- the <envar>IDN_DISABLE</envar> environment variable. |
||||
+ If you'd like to turn off the IDN support for some reason, define |
||||
+ the <envar>CHARSET=ASCII</envar> environment variable. |
||||
The IDN support is disabled if the variable is set when |
||||
<command>dig</command> runs. |
||||
</para> |
@ -0,0 +1,41 @@
@@ -0,0 +1,41 @@
|
||||
From 09f1a6e812c02bd8bf1644e2253e21c26d25613a Mon Sep 17 00:00:00 2001 |
||||
From: Tomas Hozza <thozza@redhat.com> |
||||
Date: Thu, 20 Feb 2014 11:01:00 +0100 |
||||
Subject: [PATCH] check TSIG key ID when receiving NOTIFY |
||||
|
||||
Signed-off-by: Tomas Hozza <thozza@redhat.com> |
||||
--- |
||||
lib/dns/zone.c | 8 ++++++-- |
||||
1 file changed, 6 insertions(+), 2 deletions(-) |
||||
|
||||
diff --git a/lib/dns/zone.c b/lib/dns/zone.c |
||||
index 01ff97b..54b7896 100644 |
||||
--- a/lib/dns/zone.c |
||||
+++ b/lib/dns/zone.c |
||||
@@ -11846,6 +11846,8 @@ dns_zone_notifyreceive(dns_zone_t *zone, isc_sockaddr_t *from, |
||||
int match = 0; |
||||
isc_netaddr_t netaddr; |
||||
isc_sockaddr_t local, remote; |
||||
+ dns_tsigkey_t *tsigkey; |
||||
+ dns_name_t *tsig; |
||||
|
||||
REQUIRE(DNS_ZONE_VALID(zone)); |
||||
|
||||
@@ -11928,10 +11930,12 @@ dns_zone_notifyreceive(dns_zone_t *zone, isc_sockaddr_t *from, |
||||
|
||||
/* |
||||
* Accept notify requests from non masters if they are on |
||||
- * 'zone->notify_acl'. |
||||
+ * 'zone->notify_acl' or if used key ID match the ACLs. |
||||
*/ |
||||
+ tsigkey = dns_message_gettsigkey(msg); |
||||
+ tsig = dns_tsigkey_identity(tsigkey); |
||||
if (i >= zone->masterscnt && zone->notify_acl != NULL && |
||||
- dns_acl_match(&netaddr, NULL, zone->notify_acl, |
||||
+ dns_acl_match(&netaddr, tsig, zone->notify_acl, |
||||
&zone->view->aclenv, |
||||
&match, NULL) == ISC_R_SUCCESS && |
||||
match > 0) |
||||
-- |
||||
1.8.5.3 |
||||
|
@ -0,0 +1,53 @@
@@ -0,0 +1,53 @@
|
||||
From 7f5bdf7f4063c2fefb18900468d2c851f8de7816 Mon Sep 17 00:00:00 2001 |
||||
From: Evan Hunt <each@isc.org> |
||||
Date: Tue, 18 Feb 2014 23:32:02 -0800 |
||||
Subject: [PATCH] [master] fix dns_resolver_destroyfetch race |
||||
|
||||
3747. [bug] A race condition could lead to a core dump when |
||||
destroying a resolver fetch object. [RT #35385] |
||||
--- |
||||
lib/dns/resolver.c | 7 +++++-- |
||||
1 file changed, 5 insertions(+), 2 deletions(-) |
||||
|
||||
diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c |
||||
index fa188c1..66ab41f 100644 |
||||
--- a/lib/dns/resolver.c |
||||
+++ b/lib/dns/resolver.c |
||||
@@ -357,6 +357,7 @@ typedef struct { |
||||
|
||||
struct dns_fetch { |
||||
unsigned int magic; |
||||
+ isc_mem_t * mctx; |
||||
fetchctx_t * private; |
||||
}; |
||||
|
||||
@@ -8561,6 +8562,8 @@ dns_resolver_createfetch2(dns_resolver_t *res, dns_name_t *name, |
||||
fetch = isc_mem_get(res->mctx, sizeof(*fetch)); |
||||
if (fetch == NULL) |
||||
return (ISC_R_NOMEMORY); |
||||
+ fetch->mctx = NULL; |
||||
+ isc_mem_attach(res->mctx, &fetch->mctx); |
||||
|
||||
bucketnum = dns_name_fullhash(name, ISC_FALSE) % res->nbuckets; |
||||
|
||||
@@ -8651,7 +8654,7 @@ dns_resolver_createfetch2(dns_resolver_t *res, dns_name_t *name, |
||||
FTRACE("created"); |
||||
*fetchp = fetch; |
||||
} else |
||||
- isc_mem_put(res->mctx, fetch, sizeof(*fetch)); |
||||
+ isc_mem_putanddetach(&fetch->mctx, fetch, sizeof(*fetch)); |
||||
|
||||
return (result); |
||||
} |
||||
@@ -8742,7 +8745,7 @@ dns_resolver_destroyfetch(dns_fetch_t **fetchp) { |
||||
|
||||
UNLOCK(&res->buckets[bucketnum].lock); |
||||
|
||||
- isc_mem_put(res->mctx, fetch, sizeof(*fetch)); |
||||
+ isc_mem_putanddetach(&fetch->mctx, fetch, sizeof(*fetch)); |
||||
*fetchp = NULL; |
||||
|
||||
if (bucket_empty) |
||||
-- |
||||
1.9.0 |
||||
|
@ -0,0 +1,164 @@
@@ -0,0 +1,164 @@
|
||||
diff -up bind-9.8.2rc1/bin/named/include/named/lwresd.h.lwres_tasks_clients bind-9.8.2rc1/bin/named/include/named/lwresd.h |
||||
--- bind-9.8.2rc1/bin/named/include/named/lwresd.h.lwres_tasks_clients 2007-06-20 01:46:59.000000000 +0200 |
||||
+++ bind-9.8.2rc1/bin/named/include/named/lwresd.h 2014-05-19 09:41:56.792427201 +0200 |
||||
@@ -36,6 +36,8 @@ struct ns_lwresd { |
||||
dns_view_t *view; |
||||
ns_lwsearchlist_t *search; |
||||
unsigned int ndots; |
||||
+ unsigned int ntasks; |
||||
+ unsigned int nclients; |
||||
isc_mem_t *mctx; |
||||
isc_boolean_t shutting_down; |
||||
unsigned int refs; |
||||
diff -up bind-9.8.2rc1/bin/named/lwresd.c.lwres_tasks_clients bind-9.8.2rc1/bin/named/lwresd.c |
||||
--- bind-9.8.2rc1/bin/named/lwresd.c.lwres_tasks_clients 2009-09-03 01:48:01.000000000 +0200 |
||||
+++ bind-9.8.2rc1/bin/named/lwresd.c 2014-05-19 09:41:56.793427201 +0200 |
||||
@@ -60,11 +60,7 @@ |
||||
#define LWRESLISTENER_MAGIC ISC_MAGIC('L', 'W', 'R', 'L') |
||||
#define VALID_LWRESLISTENER(l) ISC_MAGIC_VALID(l, LWRESLISTENER_MAGIC) |
||||
|
||||
-/*! |
||||
- * The total number of clients we can handle will be NTASKS * NRECVS. |
||||
- */ |
||||
-#define NTASKS 2 /*%< tasks to create to handle lwres queries */ |
||||
-#define NRECVS 2 /*%< max clients per task */ |
||||
+#define LWRESD_NCLIENTS_MAX 32768 /*%< max clients per task */ |
||||
|
||||
typedef ISC_LIST(ns_lwreslistener_t) ns_lwreslistenerlist_t; |
||||
|
||||
@@ -395,6 +391,24 @@ ns_lwdmanager_create(isc_mem_t *mctx, co |
||||
} |
||||
} |
||||
|
||||
+ obj = NULL; |
||||
+ (void)cfg_map_get(lwres, "lwres-tasks", &obj); |
||||
+ if (obj != NULL) |
||||
+ lwresd->ntasks = cfg_obj_asuint32(obj); |
||||
+ else |
||||
+ lwresd->ntasks = ns_g_cpus; |
||||
+ |
||||
+ obj = NULL; |
||||
+ (void)cfg_map_get(lwres, "lwres-clients", &obj); |
||||
+ if (obj != NULL) { |
||||
+ lwresd->nclients = cfg_obj_asuint32(obj); |
||||
+ if (lwresd->nclients > LWRESD_NCLIENTS_MAX) |
||||
+ lwresd->nclients = LWRESD_NCLIENTS_MAX; |
||||
+ } else if (ns_g_lwresdonly) |
||||
+ lwresd->nclients = 1024; |
||||
+ else |
||||
+ lwresd->nclients = 256; |
||||
+ |
||||
lwresd->magic = LWRESD_MAGIC; |
||||
|
||||
*lwresdp = lwresd; |
||||
@@ -604,15 +618,24 @@ static isc_result_t |
||||
listener_startclients(ns_lwreslistener_t *listener) { |
||||
ns_lwdclientmgr_t *cm; |
||||
unsigned int i; |
||||
- isc_result_t result; |
||||
+ isc_result_t result = ISC_R_SUCCESS; |
||||
+ |
||||
+ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, |
||||
+ NS_LOGMODULE_LWRESD, ISC_LOG_DEBUG(6), |
||||
+ "listener_startclients: creating %d " |
||||
+ "managers with %d clients each", |
||||
+ listener->manager->ntasks, listener->manager->nclients); |
||||
|
||||
/* |
||||
* Create the client managers. |
||||
*/ |
||||
- result = ISC_R_SUCCESS; |
||||
- for (i = 0; i < NTASKS && result == ISC_R_SUCCESS; i++) |
||||
- result = ns_lwdclientmgr_create(listener, NRECVS, |
||||
+ for (i = 0; i < listener->manager->ntasks; i++) { |
||||
+ result = ns_lwdclientmgr_create(listener, |
||||
+ listener->manager->nclients, |
||||
ns_g_taskmgr); |
||||
+ if (result != ISC_R_SUCCESS) |
||||
+ break; |
||||
+ } |
||||
|
||||
/* |
||||
* Ensure that we have created at least one. |
||||
diff -up bind-9.8.2rc1/bin/named/named.conf.docbook.lwres_tasks_clients bind-9.8.2rc1/bin/named/named.conf.docbook |
||||
--- bind-9.8.2rc1/bin/named/named.conf.docbook.lwres_tasks_clients 2011-11-07 01:31:47.000000000 +0100 |
||||
+++ bind-9.8.2rc1/bin/named/named.conf.docbook 2014-05-19 09:41:56.793427201 +0200 |
||||
@@ -185,6 +185,8 @@ lwres { |
||||
view <replaceable>string</replaceable> <replaceable>optional_class</replaceable>; |
||||
search { <replaceable>string</replaceable>; ... }; |
||||
ndots <replaceable>integer</replaceable>; |
||||
+ lwres-tasks <replaceable>integer</replaceable>; |
||||
+ lwres-clients <replaceable>integer</replaceable>; |
||||
}; |
||||
</literallayout> |
||||
</refsect1> |
||||
diff -up bind-9.8.2rc1/doc/arm/Bv9ARM-book.xml.lwres_tasks_clients bind-9.8.2rc1/doc/arm/Bv9ARM-book.xml |
||||
--- bind-9.8.2rc1/doc/arm/Bv9ARM-book.xml.lwres_tasks_clients 2014-05-19 09:41:56.770427201 +0200 |
||||
+++ bind-9.8.2rc1/doc/arm/Bv9ARM-book.xml 2014-05-19 10:26:40.147380836 +0200 |
||||
@@ -2964,7 +2964,12 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2. |
||||
be configured to act as a lightweight resolver daemon using the |
||||
<command>lwres</command> statement in <filename>named.conf</filename>. |
||||
</para> |
||||
- |
||||
+ <para> |
||||
+ The number of client queries that the <command>lwresd</command> |
||||
+ daemon is able to serve can be set using the |
||||
+ <option>lwres-tasks</option> and <option>lwres-clients</option> |
||||
+ statements in the configuration. |
||||
+ </para> |
||||
</sect1> |
||||
</chapter> |
||||
|
||||
@@ -4959,6 +4964,8 @@ badresp:1,adberr:0,findfail:0,valfail:0] |
||||
<optional> view <replaceable>view_name</replaceable>; </optional> |
||||
<optional> search { <replaceable>domain_name</replaceable> ; <optional> <replaceable>domain_name</replaceable> ; ... </optional> }; </optional> |
||||
<optional> ndots <replaceable>number</replaceable>; </optional> |
||||
+ <optional> lwres-tasks <replaceable>number</replaceable>; </optional> |
||||
+ <optional> lwres-clients <replaceable>number</replaceable>; </optional> |
||||
}; |
||||
</programlisting> |
||||
|
||||
@@ -5017,6 +5024,31 @@ badresp:1,adberr:0,findfail:0,valfail:0] |
||||
number of dots in a relative domain name that should result in an |
||||
exact match lookup before search path elements are appended. |
||||
</para> |
||||
+ <para> |
||||
+ The <option>lwres-tasks</option> statement specifies the number |
||||
+ of worker threads the lightweight resolver will dedicate to serving |
||||
+ clients. By default the number is the same as the number of CPUs on |
||||
+ the system; this can be overridden using the <option>-n</option> |
||||
+ command line option when starting the server. |
||||
+ </para> |
||||
+ <para> |
||||
+ The <option>lwres-clients</option> specifies |
||||
+ the number of client objects per thread the lightweight |
||||
+ resolver should create to serve client queries. |
||||
+ By default, if the lightweight resolver runs as a part |
||||
+ of <command>named</command>, 256 client objects are |
||||
+ created for each task; if it runs as <command>lwresd</command>, |
||||
+ 1024 client objects are created for each thread. The maximum |
||||
+ value is 32768; higher values will be silently ignored and |
||||
+ the maximum will be used instead. |
||||
+ Note that setting too high a value may overconsume |
||||
+ system resources. |
||||
+ </para> |
||||
+ <para> |
||||
+ The maximum number of client queries that the lightweight |
||||
+ resolver can handle at any one time equals |
||||
+ <option>lwres-tasks</option> times <option>lwres-clients</option>. |
||||
+ </para> |
||||
</sect2> |
||||
<sect2> |
||||
<title><command>masters</command> Statement Grammar</title> |
||||
diff -up bind-9.8.2rc1/lib/isccfg/namedconf.c.lwres_tasks_clients bind-9.8.2rc1/lib/isccfg/namedconf.c |
||||
--- bind-9.8.2rc1/lib/isccfg/namedconf.c.lwres_tasks_clients 2014-05-19 09:41:56.771427201 +0200 |
||||
+++ bind-9.8.2rc1/lib/isccfg/namedconf.c 2014-05-19 09:41:56.797427201 +0200 |
||||
@@ -2563,6 +2563,8 @@ lwres_clauses[] = { |
||||
{ "view", &cfg_type_lwres_view, 0 }, |
||||
{ "search", &cfg_type_lwres_searchlist, 0 }, |
||||
{ "ndots", &cfg_type_uint32, 0 }, |
||||
+ { "lwres-tasks", &cfg_type_uint32, 0}, |
||||
+ { "lwres-clients", &cfg_type_uint32, 0}, |
||||
{ NULL, NULL, 0 } |
||||
}; |
||||
|
@ -0,0 +1,408 @@
@@ -0,0 +1,408 @@
|
||||
From c8cd2cd7f21ce56f93532a6d5f26239e60657acb Mon Sep 17 00:00:00 2001 |
||||
From: Tomas Hozza <thozza@redhat.com> |
||||
Date: Thu, 25 Jun 2015 14:53:31 +0200 |
||||
Subject: [PATCH] nsupdate: Don't extract REAML from ticket, but leave it up to |
||||
GSSAPI |
||||
|
||||
The current implementation of nsupdate does not work correctly with |
||||
GSSAPI in cross realm trust scenarios. The realm is currently |
||||
extracted from local kerberos ticket instead of letting GSSAPI to |
||||
figure out the realm based on the remote nameserver hostname. |
||||
|
||||
RFC 4752 section 3.1 states that the client should use |
||||
GSS_C_NT_HOSTBASED_SERVICE when calling gss_import_name(). |
||||
|
||||
nsupdate now leaves the realm detection up to GSSAPI, if the realm is |
||||
not specified explicitly using the 'realm' option. If the option is |
||||
used, the old behavior is preserved. |
||||
|
||||
Signed-off-by: Tomas Hozza <thozza@redhat.com> |
||||
--- |
||||
bin/nsupdate/nsupdate.1 | 3 +- |
||||
bin/nsupdate/nsupdate.c | 72 ++++++++----------------------------------- |
||||
bin/nsupdate/nsupdate.docbook | 2 +- |
||||
bin/nsupdate/nsupdate.html | 2 +- |
||||
bin/tests/dst/gsstest.c | 4 +-- |
||||
lib/dns/gssapictx.c | 16 +++++++--- |
||||
lib/dns/include/dns/tkey.h | 24 +++++++++------ |
||||
lib/dns/include/dst/gssapi.h | 8 +++-- |
||||
lib/dns/tkey.c | 28 +++++++++-------- |
||||
9 files changed, 65 insertions(+), 94 deletions(-) |
||||
|
||||
diff --git a/bin/nsupdate/nsupdate.1 b/bin/nsupdate/nsupdate.1 |
||||
index 1e2dcaf..c847fb8 100644 |
||||
--- a/bin/nsupdate/nsupdate.1 |
||||
+++ b/bin/nsupdate/nsupdate.1 |
||||
@@ -259,8 +259,7 @@ on the commandline. |
||||
.RS 4 |
||||
When using GSS\-TSIG use |
||||
\fIrealm_name\fR |
||||
-rather than the default realm in |
||||
-\fIkrb5.conf\fR. If no realm is specified the saved realm is cleared. |
||||
+rather than leaving the realm detection up to GSSAPI. If no realm is specified the saved realm is cleared. |
||||
.RE |
||||
.PP |
||||
\fB[prereq]\fR\fB nxdomain\fR {domain\-name} |
||||
diff --git a/bin/nsupdate/nsupdate.c b/bin/nsupdate/nsupdate.c |
||||
index b901e03..644e3d9 100644 |
||||
--- a/bin/nsupdate/nsupdate.c |
||||
+++ b/bin/nsupdate/nsupdate.c |
||||
@@ -2489,57 +2489,6 @@ sendrequest(isc_sockaddr_t *srcaddr, isc_sockaddr_t *destaddr, |
||||
|
||||
#ifdef GSSAPI |
||||
|
||||
-/* |
||||
- * Get the realm from the users kerberos ticket if possible |
||||
- */ |
||||
-static void |
||||
-get_ticket_realm(isc_mem_t *mctx) |
||||
-{ |
||||
- krb5_context ctx; |
||||
- krb5_error_code rc; |
||||
- krb5_ccache ccache; |
||||
- krb5_principal princ; |
||||
- char *name, *ticket_realm; |
||||
- |
||||
- rc = krb5_init_context(&ctx); |
||||
- if (rc != 0) |
||||
- return; |
||||
- |
||||
- rc = krb5_cc_default(ctx, &ccache); |
||||
- if (rc != 0) { |
||||
- krb5_free_context(ctx); |
||||
- return; |
||||
- } |
||||
- |
||||
- rc = krb5_cc_get_principal(ctx, ccache, &princ); |
||||
- if (rc != 0) { |
||||
- krb5_cc_close(ctx, ccache); |
||||
- krb5_free_context(ctx); |
||||
- return; |
||||
- } |
||||
- |
||||
- rc = krb5_unparse_name(ctx, princ, &name); |
||||
- if (rc != 0) { |
||||
- krb5_free_principal(ctx, princ); |
||||
- krb5_cc_close(ctx, ccache); |
||||
- krb5_free_context(ctx); |
||||
- return; |
||||
- } |
||||
- |
||||
- ticket_realm = strrchr(name, '@'); |
||||
- if (ticket_realm != NULL) { |
||||
- realm = isc_mem_strdup(mctx, ticket_realm); |
||||
- } |
||||
- |
||||
- free(name); |
||||
- krb5_free_principal(ctx, princ); |
||||
- krb5_cc_close(ctx, ccache); |
||||
- krb5_free_context(ctx); |
||||
- if (realm != NULL && debugging) |
||||
- fprintf(stderr, "Found realm from ticket: %s\n", realm+1); |
||||
-} |
||||
- |
||||
- |
||||
static void |
||||
start_gssrequest(dns_name_t *master) { |
||||
gss_ctx_id_t context; |
||||
@@ -2580,11 +2529,15 @@ start_gssrequest(dns_name_t *master) { |
||||
dns_fixedname_init(&fname); |
||||
servname = dns_fixedname_name(&fname); |
||||
|
||||
- if (realm == NULL) |
||||
- get_ticket_realm(mctx); |
||||
- |
||||
- result = isc_string_printf(servicename, sizeof(servicename), |
||||
- "DNS/%s%s", namestr, realm ? realm : ""); |
||||
+ if (realm != NULL) { |
||||
+ /* Use explicit REALM passed as argument */ |
||||
+ result = isc_string_printf(servicename, sizeof(servicename), |
||||
+ "DNS/%s%s", namestr, realm); |
||||
+ } else { |
||||
+ /* Use service@host as advised in RFC4752 section 3.1 */ |
||||
+ result = isc_string_printf(servicename, sizeof(servicename), |
||||
+ "DNS@%s", namestr); |
||||
+ } |
||||
if (result != ISC_R_SUCCESS) |
||||
fatal("isc_string_printf(servicename) failed: %s", |
||||
isc_result_totext(result)); |
||||
@@ -2623,9 +2576,9 @@ start_gssrequest(dns_name_t *master) { |
||||
|
||||
/* Build first request. */ |
||||
context = GSS_C_NO_CONTEXT; |
||||
- result = dns_tkey_buildgssquery(rmsg, keyname, servname, NULL, 0, |
||||
- &context, use_win2k_gsstsig, |
||||
- mctx, &err_message); |
||||
+ result = dns_tkey_buildgssquery(rmsg, keyname, servname, |
||||
+ realm != NULL ? ISC_TRUE : ISC_FALSE, NULL, 0, |
||||
+ &context, use_win2k_gsstsig, mctx, &err_message); |
||||
if (result == ISC_R_FAILURE) |
||||
fatal("tkey query failed: %s", |
||||
err_message != NULL ? err_message : "unknown error"); |
||||
@@ -2765,6 +2718,7 @@ recvgss(isc_task_t *task, isc_event_t *event) { |
||||
|
||||
tsigkey = NULL; |
||||
result = dns_tkey_gssnegotiate(tsigquery, rcvmsg, servname, |
||||
+ realm != NULL ? ISC_TRUE : ISC_FALSE, |
||||
&context, &tsigkey, gssring, |
||||
use_win2k_gsstsig, |
||||
&err_message); |
||||
diff --git a/bin/nsupdate/nsupdate.docbook b/bin/nsupdate/nsupdate.docbook |
||||
index c54211c..bbcc681 100644 |
||||
--- a/bin/nsupdate/nsupdate.docbook |
||||
+++ b/bin/nsupdate/nsupdate.docbook |
||||
@@ -418,7 +418,7 @@ |
||||
<listitem> |
||||
<para> |
||||
When using GSS-TSIG use <parameter>realm_name</parameter> rather |
||||
- than the default realm in <filename>krb5.conf</filename>. If no |
||||
+ than leaving the realm detection up to GSSAPI. If no |
||||
realm is specified the saved realm is cleared. |
||||
</para> |
||||
</listitem> |
||||
diff --git a/bin/nsupdate/nsupdate.html b/bin/nsupdate/nsupdate.html |
||||
index 276d4af..9c0eba0 100644 |
||||
--- a/bin/nsupdate/nsupdate.html |
||||
+++ b/bin/nsupdate/nsupdate.html |
||||
@@ -327,7 +327,7 @@ |
||||
</span></dt> |
||||
<dd><p> |
||||
When using GSS-TSIG use <em class="parameter"><code>realm_name</code></em> rather |
||||
- than the default realm in <code class="filename">krb5.conf</code>. If no |
||||
+ than leaving the realm detection up to GSSAPI. If no |
||||
realm is specified the saved realm is cleared. |
||||
</p></dd> |
||||
<dt><span class="term"> |
||||
diff --git a/bin/tests/dst/gsstest.c b/bin/tests/dst/gsstest.c |
||||
index c1296f7..7c85d0b 100755 |
||||
--- a/bin/tests/dst/gsstest.c |
||||
+++ b/bin/tests/dst/gsstest.c |
||||
@@ -309,7 +309,7 @@ initctx2(isc_task_t *task, isc_event_t *event) { |
||||
printf("Received token from server, calling gss_init_sec_context()\n"); |
||||
isc_buffer_init(&outtoken, array, DNS_NAME_MAXTEXT + 1); |
||||
result = dns_tkey_processgssresponse(query, response, |
||||
- dns_fixedname_name(&gssname), |
||||
+ dns_fixedname_name(&gssname), ISC_FALSE, |
||||
&gssctx, &outtoken, |
||||
&tsigkey, ring, NULL); |
||||
gssctx = *gssctxp; |
||||
@@ -396,7 +396,7 @@ initctx1(isc_task_t *task, isc_event_t *event) { |
||||
printf("Calling gss_init_sec_context()\n"); |
||||
gssctx = GSS_C_NO_CONTEXT; |
||||
result = dns_tkey_buildgssquery(query, dns_fixedname_name(&servername), |
||||
- dns_fixedname_name(&gssname), |
||||
+ dns_fixedname_name(&gssname), ISC_FALSE, |
||||
NULL, 36000, &gssctx, ISC_TRUE, |
||||
mctx, NULL); |
||||
CHECK("dns_tkey_buildgssquery", result); |
||||
diff --git a/lib/dns/gssapictx.c b/lib/dns/gssapictx.c |
||||
index aeaeb85..21222e0 100644 |
||||
--- a/lib/dns/gssapictx.c |
||||
+++ b/lib/dns/gssapictx.c |
||||
@@ -558,14 +558,15 @@ gss_err_message(isc_mem_t *mctx, isc_uint32_t major, isc_uint32_t minor, |
||||
#endif |
||||
|
||||
isc_result_t |
||||
-dst_gssapi_initctx(dns_name_t *name, isc_buffer_t *intoken, |
||||
- isc_buffer_t *outtoken, gss_ctx_id_t *gssctx, |
||||
- isc_mem_t *mctx, char **err_message) |
||||
+dst_gssapi_initctx(dns_name_t *name, isc_boolean_t explicit_realm, |
||||
+ isc_buffer_t *intoken, isc_buffer_t *outtoken, |
||||
+ gss_ctx_id_t *gssctx, isc_mem_t *mctx, char **err_message) |
||||
{ |
||||
#ifdef GSSAPI |
||||
isc_region_t r; |
||||
isc_buffer_t namebuf; |
||||
gss_name_t gname; |
||||
+ gss_OID gname_type; |
||||
OM_uint32 gret, minor, ret_flags, flags; |
||||
gss_buffer_desc gintoken, *gintokenp, gouttoken = GSS_C_EMPTY_BUFFER; |
||||
isc_result_t result; |
||||
@@ -580,7 +581,13 @@ dst_gssapi_initctx(dns_name_t *name, isc_buffer_t *intoken, |
||||
name_to_gbuffer(name, &namebuf, &gnamebuf); |
||||
|
||||
/* Get the name as a GSS name */ |
||||
- gret = gss_import_name(&minor, &gnamebuf, GSS_C_NO_OID, &gname); |
||||
+ if (explicit_realm == ISC_TRUE) { |
||||
+ gname_type = GSS_C_NO_OID; |
||||
+ } else { |
||||
+ gname_type = GSS_C_NT_HOSTBASED_SERVICE; |
||||
+ } |
||||
+ |
||||
+ gret = gss_import_name(&minor, &gnamebuf, gname_type, &gname); |
||||
if (gret != GSS_S_COMPLETE) { |
||||
gss_err_message(mctx, gret, minor, err_message); |
||||
result = ISC_R_FAILURE; |
||||
@@ -642,6 +649,7 @@ dst_gssapi_initctx(dns_name_t *name, isc_buffer_t *intoken, |
||||
return (result); |
||||
#else |
||||
UNUSED(name); |
||||
+ UNUSED(explicit_realm); |
||||
UNUSED(intoken); |
||||
UNUSED(outtoken); |
||||
UNUSED(gssctx); |
||||
diff --git a/lib/dns/include/dns/tkey.h b/lib/dns/include/dns/tkey.h |
||||
index 0dcec1e..a0e6c2a 100644 |
||||
--- a/lib/dns/include/dns/tkey.h |
||||
+++ b/lib/dns/include/dns/tkey.h |
||||
@@ -123,9 +123,9 @@ dns_tkey_builddhquery(dns_message_t *msg, dst_key_t *key, dns_name_t *name, |
||||
|
||||
isc_result_t |
||||
dns_tkey_buildgssquery(dns_message_t *msg, dns_name_t *name, dns_name_t *gname, |
||||
- isc_buffer_t *intoken, isc_uint32_t lifetime, |
||||
- gss_ctx_id_t *context, isc_boolean_t win2k, |
||||
- isc_mem_t *mctx, char **err_message); |
||||
+ isc_boolean_t explicit_realm, isc_buffer_t *intoken, |
||||
+ isc_uint32_t lifetime, gss_ctx_id_t *context, |
||||
+ isc_boolean_t win2k, isc_mem_t *mctx, char **err_message); |
||||
/*%< |
||||
* Builds a query containing a TKEY that will generate a GSSAPI context. |
||||
* The key is requested to have the specified lifetime (in seconds). |
||||
@@ -134,6 +134,8 @@ dns_tkey_buildgssquery(dns_message_t *msg, dns_name_t *name, dns_name_t *gname, |
||||
*\li 'msg' is a valid message |
||||
*\li 'name' is a valid name |
||||
*\li 'gname' is a valid name |
||||
+ *\li 'explicit_realm' ISC_TRUE if an explicit realm is used, |
||||
+ * ISC_FALSE if the realm detection is left up to GSSAPI. |
||||
*\li 'context' is a pointer to a valid gss_ctx_id_t |
||||
* (which may have the value GSS_C_NO_CONTEXT) |
||||
*\li 'win2k' when true says to turn on some hacks to work |
||||
@@ -188,9 +190,10 @@ dns_tkey_processdhresponse(dns_message_t *qmsg, dns_message_t *rmsg, |
||||
|
||||
isc_result_t |
||||
dns_tkey_processgssresponse(dns_message_t *qmsg, dns_message_t *rmsg, |
||||
- dns_name_t *gname, gss_ctx_id_t *context, |
||||
- isc_buffer_t *outtoken, dns_tsigkey_t **outkey, |
||||
- dns_tsig_keyring_t *ring, char **err_message); |
||||
+ dns_name_t *gname, isc_boolean_t explicit_realm, |
||||
+ gss_ctx_id_t *context, isc_buffer_t *outtoken, |
||||
+ dns_tsigkey_t **outkey, dns_tsig_keyring_t *ring, |
||||
+ char **err_message); |
||||
/*%< |
||||
* XXX |
||||
*/ |
||||
@@ -216,9 +219,10 @@ dns_tkey_processdeleteresponse(dns_message_t *qmsg, dns_message_t *rmsg, |
||||
|
||||
isc_result_t |
||||
dns_tkey_gssnegotiate(dns_message_t *qmsg, dns_message_t *rmsg, |
||||
- dns_name_t *server, gss_ctx_id_t *context, |
||||
- dns_tsigkey_t **outkey, dns_tsig_keyring_t *ring, |
||||
- isc_boolean_t win2k, char **err_message); |
||||
+ dns_name_t *server, isc_boolean_t explicit_realm, |
||||
+ gss_ctx_id_t *context, dns_tsigkey_t **outkey, |
||||
+ dns_tsig_keyring_t *ring, isc_boolean_t win2k, |
||||
+ char **err_message); |
||||
|
||||
/* |
||||
* Client side negotiation of GSS-TSIG. Process the response |
||||
@@ -231,6 +235,8 @@ dns_tkey_gssnegotiate(dns_message_t *qmsg, dns_message_t *rmsg, |
||||
* it will be filled with the new message to send |
||||
* 'rmsg' is a valid message, the incoming TKEY message |
||||
* 'server' is the server name |
||||
+ * 'explicit_realm' ISC_TRUE if an explicit realm is used, |
||||
+ * ISC_FALSE if the realm detection is left up to GSSAPI. |
||||
* 'context' is the input context handle |
||||
* 'outkey' receives the established key, if non-NULL; |
||||
* if non-NULL must point to NULL |
||||
diff --git a/lib/dns/include/dst/gssapi.h b/lib/dns/include/dst/gssapi.h |
||||
index 1e81a55..d093fa3 100644 |
||||
--- a/lib/dns/include/dst/gssapi.h |
||||
+++ b/lib/dns/include/dst/gssapi.h |
||||
@@ -93,15 +93,17 @@ dst_gssapi_releasecred(gss_cred_id_t *cred); |
||||
*/ |
||||
|
||||
isc_result_t |
||||
-dst_gssapi_initctx(dns_name_t *name, isc_buffer_t *intoken, |
||||
- isc_buffer_t *outtoken, gss_ctx_id_t *gssctx, |
||||
- isc_mem_t *mctx, char **err_message); |
||||
+dst_gssapi_initctx(dns_name_t *name, isc_boolean_t explicit_realm, |
||||
+ isc_buffer_t *intoken, isc_buffer_t *outtoken, |
||||
+ gss_ctx_id_t *gssctx, isc_mem_t *mctx, char **err_message); |
||||
/* |
||||
* Initiates a GSS context. |
||||
* |
||||
* Requires: |
||||
* 'name' is a valid name, preferably one known by the GSS |
||||
* provider |
||||
+ * 'explicit_realm' True if the REALM is explicitly included in the 'name', |
||||
+ * otherwise leave the REALM detection up to GSSAPI |
||||
* 'intoken' is a token received from the acceptor, or NULL if |
||||
* there isn't one |
||||
* 'outtoken' is a buffer to receive the token generated by |
||||
diff --git a/lib/dns/tkey.c b/lib/dns/tkey.c |
||||
index 20c98e5..3463d3a 100644 |
||||
--- a/lib/dns/tkey.c |
||||
+++ b/lib/dns/tkey.c |
||||
@@ -1016,9 +1016,9 @@ dns_tkey_builddhquery(dns_message_t *msg, dst_key_t *key, dns_name_t *name, |
||||
|
||||
isc_result_t |
||||
dns_tkey_buildgssquery(dns_message_t *msg, dns_name_t *name, dns_name_t *gname, |
||||
- isc_buffer_t *intoken, isc_uint32_t lifetime, |
||||
- gss_ctx_id_t *context, isc_boolean_t win2k, |
||||
- isc_mem_t *mctx, char **err_message) |
||||
+ isc_boolean_t explicit_realm, isc_buffer_t *intoken, |
||||
+ isc_uint32_t lifetime, gss_ctx_id_t *context, |
||||
+ isc_boolean_t win2k, isc_mem_t *mctx, char **err_message) |
||||
{ |
||||
dns_rdata_tkey_t tkey; |
||||
isc_result_t result; |
||||
@@ -1035,7 +1035,7 @@ dns_tkey_buildgssquery(dns_message_t *msg, dns_name_t *name, dns_name_t *gname, |
||||
REQUIRE(mctx != NULL); |
||||
|
||||
isc_buffer_init(&token, array, sizeof(array)); |
||||
- result = dst_gssapi_initctx(gname, NULL, &token, context, |
||||
+ result = dst_gssapi_initctx(gname, explicit_realm, NULL, &token, context, |
||||
mctx, err_message); |
||||
if (result != DNS_R_CONTINUE && result != ISC_R_SUCCESS) |
||||
return (result); |
||||
@@ -1251,9 +1251,10 @@ dns_tkey_processdhresponse(dns_message_t *qmsg, dns_message_t *rmsg, |
||||
|
||||
isc_result_t |
||||
dns_tkey_processgssresponse(dns_message_t *qmsg, dns_message_t *rmsg, |
||||
- dns_name_t *gname, gss_ctx_id_t *context, |
||||
- isc_buffer_t *outtoken, dns_tsigkey_t **outkey, |
||||
- dns_tsig_keyring_t *ring, char **err_message) |
||||
+ dns_name_t *gname, isc_boolean_t explicit_realm, |
||||
+ gss_ctx_id_t *context, isc_buffer_t *outtoken, |
||||
+ dns_tsigkey_t **outkey, dns_tsig_keyring_t *ring, |
||||
+ char **err_message) |
||||
{ |
||||
dns_rdata_t rtkeyrdata = DNS_RDATA_INIT, qtkeyrdata = DNS_RDATA_INIT; |
||||
dns_name_t *tkeyname; |
||||
@@ -1304,7 +1305,7 @@ dns_tkey_processgssresponse(dns_message_t *qmsg, dns_message_t *rmsg, |
||||
|
||||
isc_buffer_init(outtoken, array, sizeof(array)); |
||||
isc_buffer_init(&intoken, rtkey.key, rtkey.keylen); |
||||
- RETERR(dst_gssapi_initctx(gname, &intoken, outtoken, context, |
||||
+ RETERR(dst_gssapi_initctx(gname, explicit_realm, &intoken, outtoken, context, |
||||
ring->mctx, err_message)); |
||||
|
||||
RETERR(dst_key_fromgssapi(dns_rootname, *context, rmsg->mctx, |
||||
@@ -1384,9 +1385,10 @@ dns_tkey_processdeleteresponse(dns_message_t *qmsg, dns_message_t *rmsg, |
||||
|
||||
isc_result_t |
||||
dns_tkey_gssnegotiate(dns_message_t *qmsg, dns_message_t *rmsg, |
||||
- dns_name_t *server, gss_ctx_id_t *context, |
||||
- dns_tsigkey_t **outkey, dns_tsig_keyring_t *ring, |
||||
- isc_boolean_t win2k, char **err_message) |
||||
+ dns_name_t *server, isc_boolean_t explicit_realm, |
||||
+ gss_ctx_id_t *context, dns_tsigkey_t **outkey, |
||||
+ dns_tsig_keyring_t *ring, isc_boolean_t win2k, |
||||
+ char **err_message) |
||||
{ |
||||
dns_rdata_t rtkeyrdata = DNS_RDATA_INIT, qtkeyrdata = DNS_RDATA_INIT; |
||||
dns_name_t *tkeyname; |
||||
@@ -1430,8 +1432,8 @@ dns_tkey_gssnegotiate(dns_message_t *qmsg, dns_message_t *rmsg, |
||||
isc_buffer_init(&intoken, rtkey.key, rtkey.keylen); |
||||
isc_buffer_init(&outtoken, array, sizeof(array)); |
||||
|
||||
- result = dst_gssapi_initctx(server, &intoken, &outtoken, context, |
||||
- ring->mctx, err_message); |
||||
+ result = dst_gssapi_initctx(server, explicit_realm, &intoken, &outtoken, |
||||
+ context, ring->mctx, err_message); |
||||
if (result != DNS_R_CONTINUE && result != ISC_R_SUCCESS) |
||||
return (result); |
||||
|
||||
-- |
||||
2.4.3 |
||||
|
@ -0,0 +1,178 @@
@@ -0,0 +1,178 @@
|
||||
diff --git a/bin/check/named-checkzone.8 b/bin/check/named-checkzone.8 |
||||
index 8538ca8..0ab0049 100644 |
||||
--- a/bin/check/named-checkzone.8 |
||||
+++ b/bin/check/named-checkzone.8 |
||||
@@ -251,7 +251,7 @@ so that include directives in the configuration file are processed as if run by |
||||
.PP |
||||
\-T \fImode\fR |
||||
.RS 4 |
||||
-Check if Sender Policy Framework records (TXT and SPF) both exist or both don't exist. A warning is issued if they don't match. Possible modes are |
||||
+Check if Sender Policy Framework (SPF) records exist and issues a warning if an SPF-formatted TXT record is not also present. Possible modes are |
||||
\fB"warn"\fR |
||||
(default), |
||||
\fB"ignore"\fR. |
||||
diff --git a/bin/check/named-checkzone.docbook b/bin/check/named-checkzone.docbook |
||||
index ea37fa2..e78d574 100644 |
||||
--- a/bin/check/named-checkzone.docbook |
||||
+++ b/bin/check/named-checkzone.docbook |
||||
@@ -408,10 +408,10 @@ |
||||
<term>-T <replaceable class="parameter">mode</replaceable></term> |
||||
<listitem> |
||||
<para> |
||||
- Check if Sender Policy Framework records (TXT and SPF) |
||||
- both exist or both don't exist. A warning is issued |
||||
- if they don't match. Possible modes are |
||||
- <command>"warn"</command> (default), <command>"ignore"</command>. |
||||
+ Check if Sender Policy Framework (SPF) records exist |
||||
+ and issues a warning if an SPF-formatted TXT record is |
||||
+ not also present. Possible modes are <command>"warn"</command> |
||||
+ (default), <command>"ignore"</command>. |
||||
</para> |
||||
</listitem> |
||||
</varlistentry> |
||||
diff --git a/bin/tests/system/checkzone/tests.sh b/bin/tests/system/checkzone/tests.sh |
||||
index 2353c14..7d9192e 100644 |
||||
--- a/bin/tests/system/checkzone/tests.sh |
||||
+++ b/bin/tests/system/checkzone/tests.sh |
||||
@@ -44,12 +44,12 @@ echo "I:checking with spf warnings ($n)" |
||||
ret=0 |
||||
$CHECKZONE example zones/spf.db > test.out1.$n 2>&1 || ret=1 |
||||
$CHECKZONE -T ignore example zones/spf.db > test.out2.$n 2>&1 || ret=1 |
||||
-grep "'x.example' found SPF/TXT" test.out1.$n > /dev/null || ret=1 |
||||
-grep "'y.example' found SPF/SPF" test.out1.$n > /dev/null || ret=1 |
||||
-grep "'example' found SPF/" test.out1.$n > /dev/null && ret=1 |
||||
-grep "'x.example' found SPF/" test.out2.$n > /dev/null && ret=1 |
||||
-grep "'y.example' found SPF/" test.out2.$n > /dev/null && ret=1 |
||||
-grep "'example' found SPF/" test.out2.$n > /dev/null && ret=1 |
||||
+grep "'x.example' found type SPF" test.out1.$n > /dev/null && ret=1 |
||||
+grep "'y.example' found type SPF" test.out1.$n > /dev/null || ret=1 |
||||
+grep "'example' found type SPF" test.out1.$n > /dev/null && ret=1 |
||||
+grep "'x.example' found type SPF" test.out2.$n > /dev/null && ret=1 |
||||
+grep "'y.example' found type SPF" test.out2.$n > /dev/null && ret=1 |
||||
+grep "'example' found type SPF" test.out2.$n > /dev/null && ret=1 |
||||
n=`expr $n + 1` |
||||
if [ $ret != 0 ]; then echo "I:failed"; fi |
||||
status=`expr $status + $ret` |
||||
diff --git a/bin/tests/system/spf/tests.sh b/bin/tests/system/spf/tests.sh |
||||
index 6acd283..3da6e2e 100644 |
||||
--- a/bin/tests/system/spf/tests.sh |
||||
+++ b/bin/tests/system/spf/tests.sh |
||||
@@ -24,19 +24,16 @@ echo "I:checking that SPF warnings have been correctly generated ($n)" |
||||
ret=0 |
||||
|
||||
grep "zone spf/IN: loaded serial 0" ns1/named.run > /dev/null || ret=1 |
||||
-grep "'x.spf' found SPF/TXT" ns1/named.run > /dev/null || ret=1 |
||||
-grep "'y.spf' found SPF/SPF" ns1/named.run > /dev/null || ret=1 |
||||
-grep "'spf' found SPF/" ns1/named.run > /dev/null && ret=1 |
||||
+grep "'y.spf' found type SPF" ns1/named.run > /dev/null || ret=1 |
||||
+grep "'spf' found type SPF" ns1/named.run > /dev/null && ret=1 |
||||
|
||||
grep "zone warn/IN: loaded serial 0" ns1/named.run > /dev/null || ret=1 |
||||
-grep "'x.warn' found SPF/TXT" ns1/named.run > /dev/null || ret=1 |
||||
-grep "'y.warn' found SPF/SPF" ns1/named.run > /dev/null || ret=1 |
||||
-grep "'warn' found SPF/" ns1/named.run > /dev/null && ret=1 |
||||
+grep "'y.warn' found type SPF" ns1/named.run > /dev/null || ret=1 |
||||
+grep "'warn' found type SPF" ns1/named.run > /dev/null && ret=1 |
||||
|
||||
grep "zone nowarn/IN: loaded serial 0" ns1/named.run > /dev/null || ret=1 |
||||
-grep "'x.nowarn' found SPF/" ns1/named.run > /dev/null && ret=1 |
||||
-grep "'y.nowarn' found SPF/" ns1/named.run > /dev/null && ret=1 |
||||
-grep "'nowarn' found SPF/" ns1/named.run > /dev/null && ret=1 |
||||
+grep "'y.nowarn' found type SPF" ns1/named.run > /dev/null && ret=1 |
||||
+grep "'nowarn' found type SPF" ns1/named.run > /dev/null && ret=1 |
||||
n=`expr $n + 1` |
||||
if [ $ret != 0 ]; then echo "I:failed"; fi |
||||
status=`expr $status + $ret` |
||||
diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml |
||||
index 96c9faf..bd42e11 100644 |
||||
--- a/doc/arm/Bv9ARM-book.xml |
||||
+++ b/doc/arm/Bv9ARM-book.xml |
||||
@@ -4750,7 +4750,7 @@ badresp:1,adberr:0,findfail:0,valfail:0] |
||||
<optional> check-mx-cname ( <replaceable>warn</replaceable> | <replaceable>fail</replaceable> | <replaceable>ignore</replaceable> ); </optional> |
||||
<optional> check-srv-cname ( <replaceable>warn</replaceable> | <replaceable>fail</replaceable> | <replaceable>ignore</replaceable> ); </optional> |
||||
<optional> check-sibling <replaceable>yes_or_no</replaceable>; </optional> |
||||
- <optional> check-spf ( <replaceable>warn</replaceable> | <replaceable>fail</replaceable> | <replaceable>ignore</replaceable> ); </optional> |
||||
+ <optional> check-spf ( <replaceable>warn</replaceable> | <replaceable>ignore</replaceable> ); </optional> |
||||
<optional> allow-new-zones { <replaceable>yes_or_no</replaceable> }; </optional> |
||||
<optional> allow-notify { <replaceable>address_match_list</replaceable> }; </optional> |
||||
<optional> allow-query { <replaceable>address_match_list</replaceable> }; </optional> |
||||
@@ -6573,10 +6573,13 @@ options { |
||||
The default is <command>yes</command>. |
||||
</para> |
||||
<para> |
||||
- Check that the two forms of Sender Policy Framework |
||||
- records (TXT records starting with "v=spf1" and SPF) either |
||||
- both exist or both don't exist. Warnings are |
||||
- emitted it they don't and be suppressed with |
||||
+ The use of the SPF record for publishing Sender |
||||
+ Policy Framework is deprecated as the migration |
||||
+ from using TXT records to SPF records was abandoned. |
||||
+ Enabling this option also checks that a TXT Sender |
||||
+ Policy Framework record exists (starts with "v=spf1") |
||||
+ if there is an SPF record. Warnings are emitted if the |
||||
+ TXT record does not exist and can be suppressed with |
||||
<command>check-spf</command>. |
||||
</para> |
||||
</listitem> |
||||
@@ -6618,11 +6621,11 @@ options { |
||||
<term><command>check-spf</command></term> |
||||
<listitem> |
||||
<para> |
||||
- When performing integrity checks, check that the |
||||
- two forms of Sender Policy Framwork records (TXT |
||||
- records starting with "v=spf1" and SPF) both exist |
||||
- or both don't exist and issue a warning if not |
||||
- met. The default is <command>warn</command>. |
||||
+ If <command>check-integrity</command> is set then |
||||
+ check that there is a TXT Sender Policy Framework |
||||
+ record present (starts with "v=spf1") if there is an |
||||
+ SPF record present. The default is |
||||
+ <command>warn</command>. |
||||
</para> |
||||
</listitem> |
||||
</varlistentry> |
||||
@@ -10372,7 +10375,7 @@ view "external" { |
||||
<optional> check-names (<constant>warn</constant>|<constant>fail</constant>|<constant>ignore</constant>) ; </optional> |
||||
<optional> check-mx (<constant>warn</constant>|<constant>fail</constant>|<constant>ignore</constant>) ; </optional> |
||||
<optional> check-wildcard <replaceable>yes_or_no</replaceable>; </optional> |
||||
- <optional> check-spf ( <replaceable>warn</replaceable> | <replaceable>fail</replaceable> | <replaceable>ignore</replaceable> ); </optional> |
||||
+ <optional> check-spf ( <replaceable>warn</replaceable> | <replaceable>ignore</replaceable> ); </optional> |
||||
<optional> check-integrity <replaceable>yes_or_no</replaceable> ; </optional> |
||||
<optional> dialup <replaceable>dialup_option</replaceable> ; </optional> |
||||
<optional> file <replaceable>string</replaceable> ; </optional> |
||||
diff --git a/lib/dns/zone.c b/lib/dns/zone.c |
||||
index 86fad98..08c6d10 100644 |
||||
--- a/lib/dns/zone.c |
||||
+++ b/lib/dns/zone.c |
||||
@@ -2612,8 +2612,8 @@ integrity_checks(dns_zone_t *zone, dns_db_t *db) { |
||||
|
||||
checkspf: |
||||
/* |
||||
- * Check if there is a type TXT spf record without a type SPF |
||||
- * RRset being present. |
||||
+ * Check if there is a type SPF record without an |
||||
+ * SPF-formatted type TXT record also being present. |
||||
*/ |
||||
if (!DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKSPF)) |
||||
goto next; |
||||
@@ -2642,16 +2642,13 @@ integrity_checks(dns_zone_t *zone, dns_db_t *db) { |
||||
dns_rdataset_disassociate(&rdataset); |
||||
|
||||
notxt: |
||||
- if (have_spf != have_txt) { |
||||
+ if (have_spf && !have_txt) { |
||||
char namebuf[DNS_NAME_FORMATSIZE]; |
||||
- const char *found = have_txt ? "TXT" : "SPF"; |
||||
- const char *need = have_txt ? "SPF" : "TXT"; |
||||
|
||||
dns_name_format(name, namebuf, sizeof(namebuf)); |
||||
- dns_zone_log(zone, ISC_LOG_WARNING, "'%s' found SPF/%s " |
||||
- "record but no SPF/%s record found, add " |
||||
- "matching type %s record", namebuf, found, |
||||
- need, need); |
||||
+ dns_zone_log(zone, ISC_LOG_WARNING, "'%s' found type " |
||||
+ "SPF record but no SPF TXT record found, " |
||||
+ "add matching type TXT record", namebuf); |
||||
} |
||||
|
||||
next: |
@ -0,0 +1,67 @@
@@ -0,0 +1,67 @@
|
||||
diff -up bind-9.9.4/bin/named/interfacemgr.c.rh1215687-limits bind-9.9.4/bin/named/interfacemgr.c |
||||
--- bind-9.9.4/bin/named/interfacemgr.c.rh1215687-limits 2015-05-20 16:08:21.286007013 +0200 |
||||
+++ bind-9.9.4/bin/named/interfacemgr.c 2015-05-20 16:21:49.227001713 +0200 |
||||
@@ -275,7 +275,7 @@ ns_interface_listenudp(ns_interface_t *i |
||||
result = dns_dispatch_getudp_dup(ifp->mgr->dispatchmgr, |
||||
ns_g_socketmgr, |
||||
ns_g_taskmgr, &ifp->addr, |
||||
- 4096, 1000, 32768, 8219, 8237, |
||||
+ 4096, 32768, 32768, 8219, 8237, |
||||
attrs, attrmask, |
||||
&ifp->udpdispatch[disp], |
||||
disp == 0 |
||||
diff -up bind-9.9.4/bin/named/server.c.rh1215687-limits bind-9.9.4/bin/named/server.c |
||||
--- bind-9.9.4/bin/named/server.c.rh1215687-limits 2015-05-20 16:08:21.272006979 +0200 |
||||
+++ bind-9.9.4/bin/named/server.c 2015-05-20 16:08:21.288007018 +0200 |
||||
@@ -992,7 +992,7 @@ get_view_querysource_dispatch(const cfg_ |
||||
} |
||||
if (isc_sockaddr_getport(&sa) == 0) { |
||||
attrs |= DNS_DISPATCHATTR_EXCLUSIVE; |
||||
- maxdispatchbuffers = 4096; |
||||
+ maxdispatchbuffers = 32768; |
||||
} else { |
||||
INSIST(obj != NULL); |
||||
if (is_firstview) { |
||||
@@ -1001,7 +1001,7 @@ get_view_querysource_dispatch(const cfg_ |
||||
"suppresses port randomization and can be " |
||||
"insecure."); |
||||
} |
||||
- maxdispatchbuffers = 1000; |
||||
+ maxdispatchbuffers = 32768; |
||||
} |
||||
|
||||
attrmask = 0; |
||||
@@ -6491,7 +6491,7 @@ ns_add_reserved_dispatch(ns_server_t *se |
||||
|
||||
result = dns_dispatch_getudp(ns_g_dispatchmgr, ns_g_socketmgr, |
||||
ns_g_taskmgr, &dispatch->addr, 4096, |
||||
- 1000, 32768, 16411, 16433, |
||||
+ 32768, 32768, 16411, 16433, |
||||
attrs, attrmask, &dispatch->dispatch); |
||||
if (result != ISC_R_SUCCESS) |
||||
goto cleanup; |
||||
diff -up bind-9.9.4/lib/dns/dispatch.c.rh1215687-limits bind-9.9.4/lib/dns/dispatch.c |
||||
diff -up bind-9.9.4/lib/dns/request.c.rh1215687-limits bind-9.9.4/lib/dns/request.c |
||||
--- bind-9.9.4/lib/dns/request.c.rh1215687-limits 2013-09-05 07:09:08.000000000 +0200 |
||||
+++ bind-9.9.4/lib/dns/request.c 2015-05-20 16:08:21.286007013 +0200 |
||||
@@ -601,7 +601,7 @@ find_udp_dispatch(dns_requestmgr_t *requ |
||||
requestmgr->socketmgr, |
||||
requestmgr->taskmgr, |
||||
srcaddr, 4096, |
||||
- 1000, 32768, 16411, 16433, |
||||
+ 32768, 32768, 16411, 16433, |
||||
attrs, attrmask, |
||||
dispatchp)); |
||||
} |
||||
diff -up bind-9.9.4/lib/dns/resolver.c.rh1215687-limits bind-9.9.4/lib/dns/resolver.c |
||||
--- bind-9.9.4/lib/dns/resolver.c.rh1215687-limits 2015-05-20 16:08:21.277006991 +0200 |
||||
+++ bind-9.9.4/lib/dns/resolver.c 2015-05-20 16:08:21.285007010 +0200 |
||||
@@ -1489,7 +1489,7 @@ fctx_query(fetchctx_t *fctx, dns_adbaddr |
||||
result = dns_dispatch_getudp(res->dispatchmgr, |
||||
res->socketmgr, |
||||
res->taskmgr, &addr, |
||||
- 4096, 1000, 32768, 16411, |
||||
+ 4096, 20000, 32768, 16411, |
||||
16433, attrs, attrmask, |
||||
&query->dispatch); |
||||
if (result != ISC_R_SUCCESS) |
File diff suppressed because it is too large
Load Diff
@ -0,0 +1,12 @@
@@ -0,0 +1,12 @@
|
||||
diff --git a/bin/tests/system/tkey/ns1/named.conf.in b/bin/tests/system/tkey/ns1/named.conf.in |
||||
index 50600b7..b0f1700 100644 |
||||
--- a/bin/tests/system/tkey/ns1/named.conf.in |
||||
+++ b/bin/tests/system/tkey/ns1/named.conf.in |
||||
@@ -32,6 +32,7 @@ options { |
||||
tkey-domain "server"; |
||||
tkey-dhkey "server" KEYID; |
||||
allow-query-cache { any; }; |
||||
+ random-device "/dev/urandom"; |
||||
}; |
||||
|
||||
key rndc_key { |
@ -0,0 +1,58 @@
@@ -0,0 +1,58 @@
|
||||
diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c |
||||
index 8696b15..5ef2dd6 100644 |
||||
--- a/lib/dns/resolver.c |
||||
+++ b/lib/dns/resolver.c |
||||
@@ -7373,9 +7373,12 @@ resquery_response(isc_task_t *task, isc_event_t *event) { |
||||
* NXDOMAIN, NXRDATASET, or referral. |
||||
*/ |
||||
result = noanswer_response(fctx, NULL, 0); |
||||
- if (result == DNS_R_CHASEDSSERVERS) { |
||||
- } else if (result == DNS_R_DELEGATION) { |
||||
- force_referral: |
||||
+ switch (result) { |
||||
+ case ISC_R_SUCCESS: |
||||
+ case DNS_R_CHASEDSSERVERS: |
||||
+ break; |
||||
+ case DNS_R_DELEGATION: |
||||
+ force_referral: |
||||
/* |
||||
* We don't have the answer, but we know a better |
||||
* place to look. |
||||
@@ -7400,7 +7403,8 @@ resquery_response(isc_task_t *task, isc_event_t *event) { |
||||
fctx->adberr = 0; |
||||
|
||||
result = ISC_R_SUCCESS; |
||||
- } else if (result != ISC_R_SUCCESS) { |
||||
+ break; |
||||
+ default: |
||||
/* |
||||
* Something has gone wrong. |
||||
*/ |
||||
diff --git a/lib/dns/view.c b/lib/dns/view.c |
||||
index 142b09e..35900b3 100644 |
||||
--- a/lib/dns/view.c |
||||
+++ b/lib/dns/view.c |
||||
@@ -1216,6 +1216,7 @@ dns_view_findzonecut2(dns_view_t *view, dns_name_t *name, dns_name_t *fname, |
||||
dns_name_t *zfname; |
||||
dns_rdataset_t zrdataset, zsigrdataset; |
||||
dns_fixedname_t zfixedname; |
||||
+ unsigned int ztoptions = 0; |
||||
|
||||
#ifndef BIND9 |
||||
UNUSED(zone); |
||||
@@ -1242,9 +1243,12 @@ dns_view_findzonecut2(dns_view_t *view, dns_name_t *name, dns_name_t *fname, |
||||
#ifdef BIND9 |
||||
zone = NULL; |
||||
LOCK(&view->lock); |
||||
- if (view->zonetable != NULL) |
||||
- result = dns_zt_find(view->zonetable, name, 0, NULL, &zone); |
||||
- else |
||||
+ if (view->zonetable != NULL) { |
||||
+ if ((options & DNS_DBFIND_NOEXACT) != 0) |
||||
+ ztoptions |= DNS_ZTFIND_NOEXACT; |
||||
+ result = dns_zt_find(view->zonetable, name, ztoptions, |
||||
+ NULL, &zone); |
||||
+ } else |
||||
result = ISC_R_NOTFOUND; |
||||
if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH) |
||||
result = dns_zone_getdb(zone, &db); |
File diff suppressed because it is too large
Load Diff
@ -0,0 +1,41 @@
@@ -0,0 +1,41 @@
|
||||
From 3acf8e092f95233bc3d854e161569487dce83ba2 Mon Sep 17 00:00:00 2001 |
||||
From: Mark Andrews <marka@isc.org> |
||||
Date: Fri, 3 Feb 2017 14:22:03 +1100 |
||||
Subject: [PATCH] 4567. [port] Call getprotobyname and getservbyname prior to |
||||
calling chroot so that shared libraries get loaded. [RT #44537] |
||||
|
||||
--- |
||||
lib/isc/unix/dir.c | 10 ++++++++++ |
||||
1 file changed, 10 insertions(+) |
||||
|
||||
diff --git a/lib/isc/unix/dir.c b/lib/isc/unix/dir.c |
||||
index 0d64778..ee80f41 100644 |
||||
--- a/lib/isc/unix/dir.c |
||||
+++ b/lib/isc/unix/dir.c |
||||
@@ -31,6 +31,7 @@ |
||||
|
||||
#include <isc/dir.h> |
||||
#include <isc/magic.h> |
||||
+#include <isc/netdb.h> |
||||
#include <isc/string.h> |
||||
#include <isc/util.h> |
||||
|
||||
@@ -172,6 +173,15 @@ isc_dir_chroot(const char *dirname) { |
||||
REQUIRE(dirname != NULL); |
||||
|
||||
#ifdef HAVE_CHROOT |
||||
+ /* |
||||
+ * Try to use getservbyname and getprotobyname before chroot. |
||||
+ * If WKS records are used in a zone under chroot, Name Service Switch |
||||
+ * may fail to load library in chroot. |
||||
+ * Do not report errors if it fails, we do not need any result now. |
||||
+ */ |
||||
+ if (getprotobyname("udp")) |
||||
+ (void)getservbyname("domain", "udp"); |
||||
+ |
||||
if (chroot(dirname) < 0 || chdir("/") < 0) |
||||
return (isc__errno2result(errno)); |
||||
|
||||
-- |
||||
2.9.3 |
||||
|
@ -0,0 +1,139 @@
@@ -0,0 +1,139 @@
|
||||
From e7a2611c555e03314ac4f7960044b05cce040364 Mon Sep 17 00:00:00 2001 |
||||
From: Mark Andrews <marka@isc.org> |
||||
Date: Thu, 31 Jul 2014 11:38:11 +1000 |
||||
Subject: [PATCH] 3905. [bug] Address deadlock between view.c and adb.c. [RT |
||||
#36341] |
||||
MIME-Version: 1.0 |
||||
Content-Type: text/plain; charset=UTF-8 |
||||
Content-Transfer-Encoding: 8bit |
||||
|
||||
Original-commit: 5e746ab61ed8158f784b86111fef95581a08b7dd |
||||
Signed-off-by: Petr Menšík <pemensik@redhat.com> |
||||
--- |
||||
lib/dns/adb.c | 57 +++++++++++++++++++++++++++++++++++++++++---------------- |
||||
1 file changed, 41 insertions(+), 16 deletions(-) |
||||
|
||||
diff --git a/lib/dns/adb.c b/lib/dns/adb.c |
||||
index a6da94d..ac89e66 100644 |
||||
--- a/lib/dns/adb.c |
||||
+++ b/lib/dns/adb.c |
||||
@@ -15,8 +15,6 @@ |
||||
* PERFORMANCE OF THIS SOFTWARE. |
||||
*/ |
||||
|
||||
-/* $Id: adb.c,v 1.264 2011/12/05 17:10:51 each Exp $ */ |
||||
- |
||||
/*! \file |
||||
* |
||||
* \note |
||||
@@ -157,7 +155,7 @@ struct dns_adb { |
||||
unsigned int *entry_refcnt; |
||||
|
||||
isc_event_t cevent; |
||||
- isc_boolean_t cevent_sent; |
||||
+ isc_boolean_t cevent_out; |
||||
isc_boolean_t shutting_down; |
||||
isc_eventlist_t whenshutdown; |
||||
isc_event_t growentries; |
||||
@@ -322,6 +320,7 @@ static inline isc_boolean_t unlink_entry(dns_adb_t *, dns_adbentry_t *); |
||||
static isc_boolean_t kill_name(dns_adbname_t **, isc_eventtype_t); |
||||
static void water(void *, int); |
||||
static void dump_entry(FILE *, dns_adbentry_t *, isc_boolean_t, isc_stdtime_t); |
||||
+static void shutdown_task(isc_task_t *task, isc_event_t *ev); |
||||
|
||||
/* |
||||
* MUST NOT overlap DNS_ADBFIND_* flags! |
||||
@@ -1499,10 +1498,13 @@ check_exit(dns_adb_t *adb) { |
||||
* If there aren't any external references either, we're |
||||
* done. Send the control event to initiate shutdown. |
||||
*/ |
||||
- INSIST(!adb->cevent_sent); /* Sanity check. */ |
||||
+ INSIST(!adb->cevent_out); /* Sanity check. */ |
||||
+ ISC_EVENT_INIT(&adb->cevent, sizeof(adb->cevent), 0, NULL, |
||||
+ DNS_EVENT_ADBCONTROL, shutdown_task, adb, |
||||
+ adb, NULL, NULL); |
||||
event = &adb->cevent; |
||||
isc_task_send(adb->task, &event); |
||||
- adb->cevent_sent = ISC_TRUE; |
||||
+ adb->cevent_out = ISC_TRUE; |
||||
} |
||||
} |
||||
|
||||
@@ -2431,10 +2433,9 @@ dns_adb_create(isc_mem_t *mem, dns_view_t *view, isc_timermgr_t *timermgr, |
||||
adb->view = view; |
||||
adb->taskmgr = taskmgr; |
||||
adb->next_cleanbucket = 0; |
||||
- ISC_EVENT_INIT(&adb->cevent, sizeof(adb->cevent), 0, NULL, |
||||
- DNS_EVENT_ADBCONTROL, shutdown_task, adb, |
||||
- adb, NULL, NULL); |
||||
- adb->cevent_sent = ISC_FALSE; |
||||
+ ISC_EVENT_INIT(&adb->cevent, sizeof(adb->cevent), |
||||
+ 0, NULL, 0, NULL, NULL, NULL, NULL, NULL); |
||||
+ adb->cevent_out = ISC_FALSE; |
||||
adb->shutting_down = ISC_FALSE; |
||||
ISC_LIST_INIT(adb->whenshutdown); |
||||
|
||||
@@ -2468,7 +2469,7 @@ dns_adb_create(isc_mem_t *mem, dns_view_t *view, isc_timermgr_t *timermgr, |
||||
"intializing table sizes to %u\n", |
||||
nbuckets[11]); |
||||
adb->nentries = nbuckets[11]; |
||||
- adb->nnames= nbuckets[11]; |
||||
+ adb->nnames = nbuckets[11]; |
||||
|
||||
} |
||||
|
||||
@@ -2741,9 +2742,28 @@ dns_adb_whenshutdown(dns_adb_t *adb, isc_task_t *task, isc_event_t **eventp) { |
||||
UNLOCK(&adb->lock); |
||||
} |
||||
|
||||
+static void |
||||
+shutdown_stage2(isc_task_t *task, isc_event_t *event) { |
||||
+ dns_adb_t *adb; |
||||
+ |
||||
+ UNUSED(task); |
||||
+ |
||||
+ adb = event->ev_arg; |
||||
+ INSIST(DNS_ADB_VALID(adb)); |
||||
+ |
||||
+ LOCK(&adb->lock); |
||||
+ INSIST(adb->shutting_down); |
||||
+ adb->cevent_out = ISC_FALSE; |
||||
+ (void)shutdown_names(adb); |
||||
+ (void)shutdown_entries(adb); |
||||
+ if (dec_adb_irefcnt(adb)) |
||||
+ check_exit(adb); |
||||
+ UNLOCK(&adb->lock); |
||||
+} |
||||
+ |
||||
void |
||||
dns_adb_shutdown(dns_adb_t *adb) { |
||||
- isc_boolean_t need_check_exit; |
||||
+ isc_event_t *event; |
||||
|
||||
/* |
||||
* Shutdown 'adb'. |
||||
@@ -2754,11 +2774,16 @@ dns_adb_shutdown(dns_adb_t *adb) { |
||||
if (!adb->shutting_down) { |
||||
adb->shutting_down = ISC_TRUE; |
||||
isc_mem_setwater(adb->mctx, water, adb, 0, 0); |
||||
- need_check_exit = shutdown_names(adb); |
||||
- if (!need_check_exit) |
||||
- need_check_exit = shutdown_entries(adb); |
||||
- if (need_check_exit) |
||||
- check_exit(adb); |
||||
+ /* |
||||
+ * Isolate shutdown_names and shutdown_entries calls. |
||||
+ */ |
||||
+ inc_adb_irefcnt(adb); |
||||
+ ISC_EVENT_INIT(&adb->cevent, sizeof(adb->cevent), 0, NULL, |
||||
+ DNS_EVENT_ADBCONTROL, shutdown_stage2, adb, |
||||
+ adb, NULL, NULL); |
||||
+ adb->cevent_out = ISC_TRUE; |
||||
+ event = &adb->cevent; |
||||
+ isc_task_send(adb->task, &event); |
||||
} |
||||
|
||||
UNLOCK(&adb->lock); |
||||
-- |
||||
2.9.3 |
||||
|
@ -0,0 +1,102 @@
@@ -0,0 +1,102 @@
|
||||
From a58f31659a924c59f6342d79d2c19ee956453d82 Mon Sep 17 00:00:00 2001 |
||||
From: Mark Andrews <marka@isc.org> |
||||
Date: Sat, 18 Oct 2014 12:40:13 +1100 |
||||
Subject: [PATCH 2/2] 3980. [bug] Improve --with-tuning=large by |
||||
self tuning of SO_RCVBUF size. [RT #37187] |
||||
|
||||
(cherry picked from commit 871f3c8beeb2134b17414ec167b90a57adb8e122) |
||||
--- |
||||
lib/isc/unix/socket.c | 66 +++++++++++++++++++++++++++++++++++++++++++++++---- |
||||
1 file changed, 61 insertions(+), 5 deletions(-) |
||||
|
||||
diff --git a/lib/isc/unix/socket.c b/lib/isc/unix/socket.c |
||||
index af0c3bc..90953ff 100644 |
||||
--- a/lib/isc/unix/socket.c |
||||
+++ b/lib/isc/unix/socket.c |
||||
@@ -2245,6 +2245,62 @@ free_socket(isc__socket_t **socketp) { |
||||
*socketp = NULL; |
||||
} |
||||
|
||||
+#ifdef SO_RCVBUF |
||||
+static isc_once_t rcvbuf_once = ISC_ONCE_INIT; |
||||
+static int rcvbuf = RCVBUFSIZE; |
||||
+ |
||||
+static void |
||||
+set_rcvbuf(void) { |
||||
+ int fd; |
||||
+ int max = rcvbuf, min; |
||||
+ ISC_SOCKADDR_LEN_T len; |
||||
+ |
||||
+ fd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP); |
||||
+#if defined(ISC_PLATFORM_HAVEIPV6) |
||||
+ if (fd == -1) { |
||||
+ switch (errno) { |
||||
+ case EPROTONOSUPPORT: |
||||
+ case EPFNOSUPPORT: |
||||
+ case EAFNOSUPPORT: |
||||
+ /* |
||||
+ * Linux 2.2 (and maybe others) return EINVAL instead of |
||||
+ * EAFNOSUPPORT. |
||||
+ */ |
||||
+ case EINVAL: |
||||
+ fd = socket(AF_INET6, SOCK_DGRAM, IPPROTO_UDP); |
||||
+ break; |
||||
+ } |
||||
+ } |
||||
+#endif |
||||
+ if (fd == -1) |
||||
+ return; |
||||
+ |
||||
+ len = sizeof(min); |
||||
+ if (getsockopt(fd, SOL_SOCKET, SO_RCVBUF, (void *)&min, &len) >= 0 && |
||||
+ min < rcvbuf) { |
||||
+ again: |
||||
+ if (setsockopt(fd, SOL_SOCKET, SO_RCVBUF, (void *)&rcvbuf, |
||||
+ sizeof(rcvbuf)) == -1) { |
||||
+ if (errno == ENOBUFS && rcvbuf > min) { |
||||
+ max = rcvbuf - 1; |
||||
+ rcvbuf = (rcvbuf + min) / 2; |
||||
+ goto again; |
||||
+ } else { |
||||
+ rcvbuf = min; |
||||
+ goto cleanup; |
||||
+ } |
||||
+ } else |
||||
+ min = rcvbuf; |
||||
+ if (min != max) { |
||||
+ rcvbuf = max; |
||||
+ goto again; |
||||
+ } |
||||
+ } |
||||
+ cleanup: |
||||
+ close (fd); |
||||
+} |
||||
+#endif |
||||
+ |
||||
#ifdef SO_BSDCOMPAT |
||||
/* |
||||
* This really should not be necessary to do. Having to workout |
||||
@@ -2609,15 +2665,15 @@ opensocket(isc__socketmgr_t *manager, isc__socket_t *sock, |
||||
#if defined(SO_RCVBUF) |
||||
optlen = sizeof(size); |
||||
if (getsockopt(sock->fd, SOL_SOCKET, SO_RCVBUF, |
||||
- (void *)&size, &optlen) >= 0 && |
||||
- size < RCVBUFSIZE) { |
||||
- size = RCVBUFSIZE; |
||||
+ (void *)&size, &optlen) >= 0 && size < rcvbuf) { |
||||
+ RUNTIME_CHECK(isc_once_do(&rcvbuf_once, |
||||
+ set_rcvbuf) == ISC_R_SUCCESS); |
||||
if (setsockopt(sock->fd, SOL_SOCKET, SO_RCVBUF, |
||||
- (void *)&size, sizeof(size)) == -1) { |
||||
+ (void *)&rcvbuf, sizeof(rcvbuf)) == -1) { |
||||
isc__strerror(errno, strbuf, sizeof(strbuf)); |
||||
UNEXPECTED_ERROR(__FILE__, __LINE__, |
||||
"setsockopt(%d, SO_RCVBUF, %d) %s: %s", |
||||
- sock->fd, size, |
||||
+ sock->fd, rcvbuf, |
||||
isc_msgcat_get(isc_msgcat, |
||||
ISC_MSGSET_GENERAL, |
||||
ISC_MSG_FAILED, |
||||
-- |
||||
2.9.5 |
||||
|
File diff suppressed because one or more lines are too long
@ -0,0 +1,434 @@
@@ -0,0 +1,434 @@
|
||||
From 148bbbd1c1463c9b9626d7d9668d8768179d596b Mon Sep 17 00:00:00 2001 |
||||
From: Mark Andrews <marka@isc.org> |
||||
Date: Fri, 11 Dec 2015 14:52:12 +1100 |
||||
Subject: [PATCH 1/2] add digdelv |
||||
|
||||
(cherry picked from commit 51aed1827453f40ee56b165d45c5d58d96838d94) |
||||
|
||||
Deleted failing tests |
||||
--- |
||||
bin/tests/system/conf.sh.in | 2 +- |
||||
bin/tests/system/digdelv/clean.sh | 21 +++++ |
||||
bin/tests/system/digdelv/ns1/named.conf | 37 +++++++++ |
||||
bin/tests/system/digdelv/ns1/root.db | 29 +++++++ |
||||
bin/tests/system/digdelv/ns2/example.db | 50 ++++++++++++ |
||||
bin/tests/system/digdelv/ns2/named.conf | 40 ++++++++++ |
||||
bin/tests/system/digdelv/ns3/named.conf | 36 +++++++++ |
||||
bin/tests/system/digdelv/tests.sh | 137 ++++++++++++++++++++++++++++++++ |
||||
8 files changed, 351 insertions(+), 1 deletion(-) |
||||
create mode 100644 bin/tests/system/digdelv/clean.sh |
||||
create mode 100644 bin/tests/system/digdelv/ns1/named.conf |
||||
create mode 100644 bin/tests/system/digdelv/ns1/root.db |
||||
create mode 100644 bin/tests/system/digdelv/ns2/example.db |
||||
create mode 100644 bin/tests/system/digdelv/ns2/named.conf |
||||
create mode 100644 bin/tests/system/digdelv/ns3/named.conf |
||||
create mode 100644 bin/tests/system/digdelv/tests.sh |
||||
|
||||
diff --git a/bin/tests/system/conf.sh.in b/bin/tests/system/conf.sh.in |
||||
index 6df4734..49c5686 100644 |
||||
--- a/bin/tests/system/conf.sh.in |
||||
+++ b/bin/tests/system/conf.sh.in |
||||
@@ -60,7 +60,7 @@ SAMPLE=$TOP/lib/export/samples/sample |
||||
# v6synth |
||||
SUBDIRS="acl additional allow_query addzone autosign builtin |
||||
cacheclean checkconf @CHECKDS@ checknames checkzone @COVERAGE@ |
||||
- database dlv dlvauto dlz dlzexternal dname dns64 dnssec dyndb |
||||
+ database digdelv dlv dlvauto dlz dlzexternal dname dns64 dnssec dyndb |
||||
ecdsa formerr forward glue gost ixfr inline limits logfileconfig |
||||
lwresd masterfile masterformat metadata notify nsupdate pending |
||||
@PKCS11_TEST@ redirect resolver rndc rpz rrl rrsetorder rsabigexponent |
||||
diff --git a/bin/tests/system/digdelv/clean.sh b/bin/tests/system/digdelv/clean.sh |
||||
new file mode 100644 |
||||
index 0000000..0f442fb |
||||
--- /dev/null |
||||
+++ b/bin/tests/system/digdelv/clean.sh |
||||
@@ -0,0 +1,21 @@ |
||||
+#!/bin/sh |
||||
+# |
||||
+# Copyright (C) 2015 Internet Systems Consortium, Inc. ("ISC") |
||||
+# |
||||
+# Permission to use, copy, modify, and/or distribute this software for any |
||||
+# purpose with or without fee is hereby granted, provided that the above |
||||
+# copyright notice and this permission notice appear in all copies. |
||||
+# |
||||
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH |
||||
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY |
||||
+# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, |
||||
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM |
||||
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE |
||||
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR |
||||
+# PERFORMANCE OF THIS SOFTWARE. |
||||
+ |
||||
+rm -f dig.out.test* |
||||
+rm -f delv.out.test* |
||||
+rm -f */named.memstats |
||||
+rm -f */named.run |
||||
+rm -f ns*/named.lock |
||||
diff --git a/bin/tests/system/digdelv/ns1/named.conf b/bin/tests/system/digdelv/ns1/named.conf |
||||
new file mode 100644 |
||||
index 0000000..c5f0470 |
||||
--- /dev/null |
||||
+++ b/bin/tests/system/digdelv/ns1/named.conf |
||||
@@ -0,0 +1,37 @@ |
||||
+/* |
||||
+ * Copyright (C) 2015 Internet Systems Consortium, Inc. ("ISC") |
||||
+ * |
||||
+ * Permission to use, copy, modify, and/or distribute this software for any |
||||
+ * purpose with or without fee is hereby granted, provided that the above |
||||
+ * copyright notice and this permission notice appear in all copies. |
||||
+ * |
||||
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH |
||||
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY |
||||
+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, |
||||
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM |
||||
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE |
||||
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR |
||||
+ * PERFORMANCE OF THIS SOFTWARE. |
||||
+ */ |
||||
+ |
||||
+// NS1 |
||||
+ |
||||
+controls { /* empty */ }; |
||||
+ |
||||
+options { |
||||
+ query-source address 10.53.0.1; |
||||
+ port 5300; |
||||
+ pid-file "named.pid"; |
||||
+ listen-on { 10.53.0.1; }; |
||||
+ listen-on-v6 { fd92:7065:b8e:ffff::1; }; |
||||
+ recursion no; |
||||
+ notify yes; |
||||
+ dnssec-enable no; |
||||
+ dnssec-validation no; |
||||
+}; |
||||
+ |
||||
+zone "." { |
||||
+ type master; |
||||
+ file "root.db"; |
||||
+}; |
||||
+ |
||||
diff --git a/bin/tests/system/digdelv/ns1/root.db b/bin/tests/system/digdelv/ns1/root.db |
||||
new file mode 100644 |
||||
index 0000000..f4316a5 |
||||
--- /dev/null |
||||
+++ b/bin/tests/system/digdelv/ns1/root.db |
||||
@@ -0,0 +1,29 @@ |
||||
+; Copyright (C) 2015 Internet Systems Consortium, Inc. ("ISC") |
||||
+; |
||||
+; Permission to use, copy, modify, and/or distribute this software for any |
||||
+; purpose with or without fee is hereby granted, provided that the above |
||||
+; copyright notice and this permission notice appear in all copies. |
||||
+; |
||||
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH |
||||
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY |
||||
+; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, |
||||
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM |
||||
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE |
||||
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR |
||||
+; PERFORMANCE OF THIS SOFTWARE. |
||||
+ |
||||
+$TTL 300 |
||||
+. IN SOA gson.nominum.com. a.root.servers.nil. ( |
||||
+ 2000042100 ; serial |
||||
+ 600 ; refresh |
||||
+ 600 ; retry |
||||
+ 1200 ; expire |
||||
+ 600 ; minimum |
||||
+ ) |
||||
+. NS a.root-servers.nil. |
||||
+a.root-servers.nil. A 10.53.0.1 |
||||
+a.root-servers.nil. AAAA fd92:7065:b8e:ffff::1 |
||||
+ |
||||
+example. NS ns2.example. |
||||
+ns2.example. A 10.53.0.2 |
||||
+ns2.example. AAAA fd92:7065:b8e:ffff::2 |
||||
diff --git a/bin/tests/system/digdelv/ns2/example.db b/bin/tests/system/digdelv/ns2/example.db |
||||
new file mode 100644 |
||||
index 0000000..0a1aa5d |
||||
--- /dev/null |
||||
+++ b/bin/tests/system/digdelv/ns2/example.db |
||||
@@ -0,0 +1,50 @@ |
||||
+; Copyright (C) 2015 Internet Systems Consortium, Inc. ("ISC") |
||||
+; |
||||
+; Permission to use, copy, modify, and/or distribute this software for any |
||||
+; purpose with or without fee is hereby granted, provided that the above |
||||
+; copyright notice and this permission notice appear in all copies. |
||||
+; |
||||
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH |
||||
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY |
||||
+; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, |
||||
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM |
||||
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE |
||||
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR |
||||
+; PERFORMANCE OF THIS SOFTWARE. |
||||
+ |
||||
+$TTL 300 ; 5 minutes |
||||
+@ IN SOA mname1. . ( |
||||
+ 2000042407 ; serial |
||||
+ 20 ; refresh (20 seconds) |
||||
+ 20 ; retry (20 seconds) |
||||
+ 1814400 ; expire (3 weeks) |
||||
+ 3600 ; minimum (1 hour) |
||||
+ ) |
||||
+ NS ns2 |
||||
+ NS ns3 |
||||
+ns2 A 10.53.0.2 |
||||
+ns2 AAAA fd92:7065:b8e:ffff::2 |
||||
+ns3 A 10.53.0.3 |
||||
+ns3 AAAA fd92:7065:b8e:ffff::3 |
||||
+ |
||||
+a A 10.0.0.1 |
||||
+a AAAA fd92:7065:b8e:ffff::1 |
||||
+b A 10.0.0.2 |
||||
+b AAAA fd92:7065:b8e:ffff::2 |
||||
+c A 10.0.0.3 |
||||
+c AAAA fd92:7065:b8e:ffff::3 |
||||
+ |
||||
+foo TXT "testing" |
||||
+foo A 10.0.1.0 |
||||
+foo SSHFP 2 1 123456789abcdef67890123456789abcdef67890 |
||||
+ |
||||
+;; |
||||
+;; we are not testing DNSSEC behavior, so we don't care about the semantics |
||||
+;; of the following records. |
||||
+dnskey 300 DNSKEY 256 3 1 ( |
||||
+ AQPTpWyReB/e9Ii6mVGnakS8hX2zkh/iUYAg |
||||
+ +Ge4noWROpTWOIBvm76zeJPWs4Zfqa1IsswD |
||||
+ Ix5Mqeg0zwclz59uecKsKyx5w9IhtZ8plc4R |
||||
+ b9VIE5x7KNHAYTvTO5d4S8M= |
||||
+ ) |
||||
+ |
||||
diff --git a/bin/tests/system/digdelv/ns2/named.conf b/bin/tests/system/digdelv/ns2/named.conf |
||||
new file mode 100644 |
||||
index 0000000..266e958 |
||||
--- /dev/null |
||||
+++ b/bin/tests/system/digdelv/ns2/named.conf |
||||
@@ -0,0 +1,40 @@ |
||||
+/* |
||||
+ * Copyright (C) 2015 Internet Systems Consortium, Inc. ("ISC") |
||||
+ * |
||||
+ * Permission to use, copy, modify, and/or distribute this software for any |
||||
+ * purpose with or without fee is hereby granted, provided that the above |
||||
+ * copyright notice and this permission notice appear in all copies. |
||||
+ * |
||||
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH |
||||
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY |
||||
+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, |
||||
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM |
||||
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE |
||||
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR |
||||
+ * PERFORMANCE OF THIS SOFTWARE. |
||||
+ */ |
||||
+ |
||||
+// NS2 |
||||
+ |
||||
+controls { /* empty */ }; |
||||
+ |
||||
+options { |
||||
+ query-source address 10.53.0.2; |
||||
+ port 5300; |
||||
+ pid-file "named.pid"; |
||||
+ listen-on { 10.53.0.2; }; |
||||
+ listen-on-v6 { fd92:7065:b8e:ffff::2; }; |
||||
+ recursion no; |
||||
+ dnssec-enable no; |
||||
+ dnssec-validation no; |
||||
+}; |
||||
+ |
||||
+zone "." { |
||||
+ type hint; |
||||
+ file "../../common/root.hint"; |
||||
+}; |
||||
+ |
||||
+zone "example" { |
||||
+ type master; |
||||
+ file "example.db"; |
||||
+}; |
||||
diff --git a/bin/tests/system/digdelv/ns3/named.conf b/bin/tests/system/digdelv/ns3/named.conf |
||||
new file mode 100644 |
||||
index 0000000..e73c543 |
||||
--- /dev/null |
||||
+++ b/bin/tests/system/digdelv/ns3/named.conf |
||||
@@ -0,0 +1,36 @@ |
||||
+/* |
||||
+ * Copyright (C) 2015 Internet Systems Consortium, Inc. ("ISC") |
||||
+ * |
||||
+ * Permission to use, copy, modify, and/or distribute this software for any |
||||
+ * purpose with or without fee is hereby granted, provided that the above |
||||
+ * copyright notice and this permission notice appear in all copies. |
||||
+ * |
||||
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH |
||||
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY |
||||
+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, |
||||
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM |
||||
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE |
||||
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR |
||||
+ * PERFORMANCE OF THIS SOFTWARE. |
||||
+ */ |
||||
+ |
||||
+// NS4 |
||||
+ |
||||
+controls { /* empty */ }; |
||||
+ |
||||
+options { |
||||
+ query-source address 10.53.0.3; |
||||
+ port 5300; |
||||
+ pid-file "named.pid"; |
||||
+ listen-on { 10.53.0.3; }; |
||||
+ listen-on-v6 { fd92:7065:b8e:ffff::3; }; |
||||
+ recursion yes; |
||||
+ acache-enable yes; |
||||
+ dnssec-enable no; |
||||
+ dnssec-validation no; |
||||
+}; |
||||
+ |
||||
+zone "." { |
||||
+ type hint; |
||||
+ file "../../common/root.hint"; |
||||
+}; |
||||
diff --git a/bin/tests/system/digdelv/tests.sh b/bin/tests/system/digdelv/tests.sh |
||||
new file mode 100644 |
||||
index 0000000..988bd52 |
||||
--- /dev/null |
||||
+++ b/bin/tests/system/digdelv/tests.sh |
||||
@@ -0,0 +1,137 @@ |
||||
+# Copyright (C) 2015 Internet Systems Consortium, Inc. ("ISC") |
||||
+# |
||||
+# Permission to use, copy, modify, and/or distribute this software for any |
||||
+# purpose with or without fee is hereby granted, provided that the above |
||||
+# copyright notice and this permission notice appear in all copies. |
||||
+# |
||||
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH |
||||
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY |
||||
+# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, |
||||
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM |
||||
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE |
||||
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR |
||||
+# PERFORMANCE OF THIS SOFTWARE. |
||||
+ |
||||
+SYSTEMTESTTOP=.. |
||||
+. $SYSTEMTESTTOP/conf.sh |
||||
+ |
||||
+status=0 |
||||
+n=0 |
||||
+# using dig insecure mode as not testing dnssec here |
||||
+DIGOPTS="-i -p 5300" |
||||
+ |
||||
+if [ -x ${DIG} ] ; then |
||||
+ n=`expr $n + 1` |
||||
+ echo "I:checking dig short form works ($n)" |
||||
+ ret=0 |
||||
+ $DIG $DIGOPTS @10.53.0.3 +short a a.example > dig.out.test$n || ret=1 |
||||
+ if test `wc -l < dig.out.test$n` != 1 ; then ret=1 ; fi |
||||
+ if [ $ret != 0 ]; then echo "I:failed"; fi |
||||
+ status=`expr $status + $ret` |
||||
+ |
||||
+ n=`expr $n + 1` |
||||
+ echo "I:checking dig split width works ($n)" |
||||
+ ret=0 |
||||
+ $DIG $DIGOPTS @10.53.0.3 +split=4 -t sshfp foo.example > dig.out.test$n || ret=1 |
||||
+ grep " 9ABC DEF6 7890 " < dig.out.test$n > /dev/null || ret=1 |
||||
+ if [ $ret != 0 ]; then echo "I:failed"; fi |
||||
+ status=`expr $status + $ret` |
||||
+ |
||||
+ n=`expr $n + 1` |
||||
+ echo "I:checking dig with reverse lookup works ($n)" |
||||
+ ret=0 |
||||
+ $DIG $DIGOPTS @10.53.0.3 -x 127.0.0.1 > dig.out.test$n 2>&1 || ret=1 |
||||
+ # doesn't matter if has answer |
||||
+ grep -i "127\.in-addr\.arpa\." < dig.out.test$n > /dev/null || ret=1 |
||||
+ if [ $ret != 0 ]; then echo "I:failed"; fi |
||||
+ status=`expr $status + $ret` |
||||
+ |
||||
+ n=`expr $n + 1` |
||||
+ echo "I:checking dig over TCP works ($n)" |
||||
+ ret=0 |
||||
+ $DIG $DIGOPTS +tcp @10.53.0.3 a a.example > dig.out.test$n || ret=1 |
||||
+ grep "10\.0\.0\.1$" < dig.out.test$n > /dev/null || ret=1 |
||||
+ if [ $ret != 0 ]; then echo "I:failed"; fi |
||||
+ status=`expr $status + $ret` |
||||
+ |
||||
+ n=`expr $n + 1` |
||||
+ echo "I:checking dig +rrcomments works for DNSKEY($n)" |
||||
+ ret=0 |
||||
+ $DIG $DIGOPTS +tcp @10.53.0.3 +rrcomments DNSKEY dnskey.example > dig.out.test$n || ret=1 |
||||
+ grep "; ZSK; alg = RSAMD5 *; key id = 30795" < dig.out.test$n > /dev/null || ret=1 |
||||
+ if [ $ret != 0 ]; then echo "I:failed"; fi |
||||
+ status=`expr $status + $ret` |
||||
+ |
||||
+else |
||||
+ echo "W:$DIG is needed, so skipping these dig tests" |
||||
+fi |
||||
+ |
||||
+# using delv insecure mode as not testing dnssec here |
||||
+DELVOPTS="-i -p 5300" |
||||
+ |
||||
+if [ -n "${DELV}" -a -x "${DELV}" ] ; then |
||||
+ n=`expr $n + 1` |
||||
+ echo "I:checking delv short form works ($n)" |
||||
+ ret=0 |
||||
+ $DELV $DELVOPTS @10.53.0.3 +short a a.example > delv.out.test$n || ret=1 |
||||
+ if test `wc -l < delv.out.test$n` != 1 ; then ret=1 ; fi |
||||
+ if [ $ret != 0 ]; then echo "I:failed"; fi |
||||
+ status=`expr $status + $ret` |
||||
+ |
||||
+ n=`expr $n + 1` |
||||
+ echo "I:checking delv split width works ($n)" |
||||
+ ret=0 |
||||
+ $DELV $DELVOPTS @10.53.0.3 +split=4 -t sshfp foo.example > delv.out.test$n || ret=1 |
||||
+ grep " 9ABC DEF6 7890 " < delv.out.test$n > /dev/null || ret=1 |
||||
+ if [ $ret != 0 ]; then echo "I:failed"; fi |
||||
+ status=`expr $status + $ret` |
||||
+ |
||||
+ n=`expr $n + 1` |
||||
+ echo "I:checking delv with IPv6 on IPv4 does not work ($n)" |
||||
+ if $TESTSOCK6 fd92:7065:b8e:ffff::3 |
||||
+ then |
||||
+ ret=0 |
||||
+ # following should fail because @IPv4 overrides earlier @IPv6 above |
||||
+ # and -6 forces IPv6 so this should fail, such as: |
||||
+ # ;; getaddrinfo failed: hostname nor servname provided, or not known |
||||
+ # ;; resolution failed: not found |
||||
+ # note that delv returns success even on lookup failure |
||||
+ $DELV $DELVOPTS @fd92:7065:b8e:ffff::3 @10.53.0.3 -6 -t txt foo.example > delv.out.test$n 2>&1 || ret=1 |
||||
+ # it should have no results but error output |
||||
+ grep "testing" < delv.out.test$n > /dev/null && ret=1 |
||||
+ grep "getaddrinfo failed:" < delv.out.test$n > /dev/null || ret=1 |
||||
+ if [ $ret != 0 ]; then echo "I:failed"; fi |
||||
+ status=`expr $status + $ret` |
||||
+ else |
||||
+ echo "I:IPv6 unavailable; skipping" |
||||
+ fi |
||||
+ |
||||
+ n=`expr $n + 1` |
||||
+ echo "I:checking delv with reverse lookup works ($n)" |
||||
+ ret=0 |
||||
+ $DELV $DELVOPTS @10.53.0.3 -x 127.0.0.1 > delv.out.test$n 2>&1 || ret=1 |
||||
+ # doesn't matter if has answer |
||||
+ grep -i "127\.in-addr\.arpa\." < delv.out.test$n > /dev/null || ret=1 |
||||
+ if [ $ret != 0 ]; then echo "I:failed"; fi |
||||
+ status=`expr $status + $ret` |
||||
+ |
||||
+ n=`expr $n + 1` |
||||
+ echo "I:checking delv over TCP works ($n)" |
||||
+ ret=0 |
||||
+ $DELV $DELVOPTS @10.53.0.3 a a.example > delv.out.test$n || ret=1 |
||||
+ grep "10\.0\.0\.1$" < delv.out.test$n > /dev/null || ret=1 |
||||
+ if [ $ret != 0 ]; then echo "I:failed"; fi |
||||
+ status=`expr $status + $ret` |
||||
+ |
||||
+ n=`expr $n + 1` |
||||
+ echo "I:checking delv +rrcomments works for DNSKEY($n)" |
||||
+ ret=0 |
||||
+ $DELV $DELVOPTS @10.53.0.3 +rrcomments DNSKEY dnskey.example > delv.out.test$n || ret=1 |
||||
+ grep "; ZSK; alg = RSAMD5 *; key id = 30795" < delv.out.test$n > /dev/null || ret=1 |
||||
+ if [ $ret != 0 ]; then echo "I:failed"; fi |
||||
+ status=`expr $status + $ret` |
||||
+ |
||||
+ exit $status |
||||
+else |
||||
+ echo "W:${DELV:-delv} is not available, so skipping these delv tests" |
||||
+fi |
||||
-- |
||||
2.9.5 |
||||
|
@ -0,0 +1,195 @@
@@ -0,0 +1,195 @@
|
||||
From a200b2dd994cbb4ff29151ff46342268bc8fb3c2 Mon Sep 17 00:00:00 2001 |
||||
From: Evan Hunt <each@isc.org> |
||||
Date: Mon, 11 Sep 2017 10:34:10 -0700 |
||||
Subject: [PATCH 2/2] dig: retain domain when retrying with tcp |
||||
|
||||
4712. [bug] "dig +domain" and "dig +search" didn't retain the |
||||
search domain when retrying with TCP. [RT #45547] |
||||
|
||||
(cherry picked from commit 8e014c45ae75a3ca893cec6a0711beb69ecd18a4) |
||||
(cherry picked from commit 88e2cefcc2e8f48c0fba97661ff79c2506b52b23) |
||||
(cherry picked from commit 51b00c6c783ccf5dca86119ff8f4f8b994298ca4) |
||||
|
||||
Modified to pass with libidn |
||||
|
||||
Fix origin test |
||||
--- |
||||
bin/dig/dighost.c | 13 ++++------- |
||||
bin/tests/system/ans.pl | 43 +++++++++++++++++++++++++---------- |
||||
bin/tests/system/digdelv/ans4/startme | 0 |
||||
bin/tests/system/digdelv/tests.sh | 23 ++++++++++++++++++- |
||||
4 files changed, 58 insertions(+), 21 deletions(-) |
||||
create mode 100644 bin/tests/system/digdelv/ans4/startme |
||||
|
||||
diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c |
||||
index 5c03d95..3a066c6 100644 |
||||
--- a/bin/dig/dighost.c |
||||
+++ b/bin/dig/dighost.c |
||||
@@ -887,6 +887,7 @@ clone_lookup(dig_lookup_t *lookold, isc_boolean_t servers) { |
||||
looknew->section_answer = lookold->section_answer; |
||||
looknew->section_authority = lookold->section_authority; |
||||
looknew->section_additional = lookold->section_additional; |
||||
+ looknew->origin = lookold->origin; |
||||
looknew->retries = lookold->retries; |
||||
looknew->tsigctx = NULL; |
||||
looknew->need_search = lookold->need_search; |
||||
@@ -2134,6 +2135,7 @@ setup_lookup(dig_lookup_t *lookup) { |
||||
|
||||
#ifdef WITH_IDN |
||||
if (lookup->origin != NULL) { |
||||
+ debug("trying origin %s", lookup->origin->origin); |
||||
mr = idn_encodename(IDN_LOCALCONV | IDN_DELIMMAP, |
||||
lookup->origin->origin, utf8_origin, |
||||
sizeof(utf8_origin)); |
||||
@@ -2148,6 +2150,7 @@ setup_lookup(dig_lookup_t *lookup) { |
||||
idn_check_result(mr, "convert UTF-8 textname to IDN encoding"); |
||||
#elif defined (WITH_LIBIDN) |
||||
if (lookup->origin != NULL) { |
||||
+ debug("trying origin %s", lookup->origin->origin); |
||||
result = libidn_locale_to_utf8 (lookup->origin->origin, utf8_str); |
||||
check_result (result, "convert origin to UTF-8"); |
||||
if (len > 0 && utf8_name[len - 1] != '.') { |
||||
@@ -3409,7 +3407,6 @@ recv_done(isc_task_t *task, isc_event_t *event) { |
||||
printf(";; Truncated, retrying in TCP mode.\n"); |
||||
n = requeue_lookup(l, ISC_TRUE); |
||||
n->tcp_mode = ISC_TRUE; |
||||
- n->origin = query->lookup->origin; |
||||
dns_message_destroy(&msg); |
||||
isc_event_free(&event); |
||||
clear_query(query); |
||||
diff --git a/bin/tests/system/ans.pl b/bin/tests/system/ans.pl |
||||
index d6ff3c2..d8c9f9d 100644 |
||||
--- a/bin/tests/system/ans.pl |
||||
+++ b/bin/tests/system/ans.pl |
||||
@@ -35,7 +35,12 @@ |
||||
# |
||||
# There can be any number of patterns, each associated |
||||
# with any number of response RRs. Each pattern is a |
||||
-# Perl regular expression. |
||||
+# Perl regular expression. If an empty pattern ("//") is |
||||
+# received, the server will ignore all incoming queries (TCP |
||||
+# connections will still be accepted, but both UDP queries |
||||
+# and TCP queries will not be responded to). If a non-empty |
||||
+# pattern is then received over the same control connection, |
||||
+# default behavior is restored. |
||||
# |
||||
# Each incoming query is converted into a string of the form |
||||
# "qname qtype" (the printable query domain name, space, |
||||
@@ -105,6 +110,9 @@ $SIG{TERM} = \&rmpid; |
||||
|
||||
#my @answers = (); |
||||
my @rules; |
||||
+my $udphandler; |
||||
+my $tcphandler; |
||||
+ |
||||
sub handleUDP { |
||||
my ($buf) = @_; |
||||
my $request; |
||||
@@ -414,8 +422,15 @@ for (;;) { |
||||
while (my $line = $conn->getline) { |
||||
chomp $line; |
||||
if ($line =~ m!^/(.*)/$!) { |
||||
- $rule = { pattern => $1, answer => [] }; |
||||
- push(@rules, $rule); |
||||
+ if (length($1) == 0) { |
||||
+ $udphandler = sub { return; }; |
||||
+ $tcphandler = sub { return; }; |
||||
+ } else { |
||||
+ $udphandler = \&handleUDP; |
||||
+ $tcphandler = \&handleTCP; |
||||
+ $rule = { pattern => $1, answer => [] }; |
||||
+ push(@rules, $rule); |
||||
+ } |
||||
} else { |
||||
push(@{$rule->{answer}}, |
||||
new Net::DNS::RR($line)); |
||||
@@ -430,9 +445,11 @@ for (;;) { |
||||
printf "UDP request\n"; |
||||
my $buf; |
||||
$udpsock->recv($buf, 512); |
||||
- my $result = handleUDP($buf); |
||||
- my $num_chars = $udpsock->send($result); |
||||
- print " Sent $num_chars bytes via UDP\n"; |
||||
+ my $result = &$udphandler($buf); |
||||
+ if (defined($result)) { |
||||
+ my $num_chars = $udpsock->send($result); |
||||
+ print " Sent $num_chars bytes via UDP\n"; |
||||
+ } |
||||
} elsif (vec($rout, fileno($tcpsock), 1)) { |
||||
my $conn = $tcpsock->accept; |
||||
my $buf; |
||||
@@ -444,12 +461,14 @@ for (;;) { |
||||
$n = $conn->sysread($buf, $len); |
||||
last unless $n == $len; |
||||
print "TCP request\n"; |
||||
- my $result = handleTCP($buf); |
||||
- foreach my $response (@$result) { |
||||
- $len = length($response); |
||||
- $n = $conn->syswrite(pack("n", $len), 2); |
||||
- $n = $conn->syswrite($response, $len); |
||||
- print " Sent: $n chars via TCP\n"; |
||||
+ my $result = &$tcphandler($buf); |
||||
+ if (defined($result)) { |
||||
+ foreach my $response (@$result) { |
||||
+ $len = length($response); |
||||
+ $n = $conn->syswrite(pack("n", $len), 2); |
||||
+ $n = $conn->syswrite($response, $len); |
||||
+ print " Sent: $n chars via TCP\n"; |
||||
+ } |
||||
} |
||||
} |
||||
$conn->close; |
||||
diff --git a/bin/tests/system/digdelv/ans4/startme b/bin/tests/system/digdelv/ans4/startme |
||||
new file mode 100644 |
||||
index 0000000..e69de29 |
||||
diff --git a/bin/tests/system/digdelv/tests.sh b/bin/tests/system/digdelv/tests.sh |
||||
index 988bd52..a19256c 100644 |
||||
--- a/bin/tests/system/digdelv/tests.sh |
||||
+++ b/bin/tests/system/digdelv/tests.sh |
||||
@@ -19,6 +19,7 @@ status=0 |
||||
n=0 |
||||
# using dig insecure mode as not testing dnssec here |
||||
DIGOPTS="-i -p 5300" |
||||
+SENDCMD="$PERL $SYSTEMTESTTOP/send.pl 10.53.0.4 5301" |
||||
|
||||
if [ -x ${DIG} ] ; then |
||||
n=`expr $n + 1` |
||||
@@ -62,6 +63,24 @@ if [ -x ${DIG} ] ; then |
||||
if [ $ret != 0 ]; then echo "I:failed"; fi |
||||
status=`expr $status + $ret` |
||||
|
||||
+ n=`expr $n + 1` |
||||
+ echo "I:checking dig preserves origin on TCP retries ($n)" |
||||
+ ret=0 |
||||
+ # Ask ans4 to still accept TCP connections, but not respond to queries |
||||
+ echo "//" | $SENDCMD |
||||
+ $DIG $DIGOPTS -d +tcp @10.53.0.4 +retry=1 +time=1 +domain=bar foo > dig.out.test$n 2>&1 && ret=1 |
||||
+ l=`grep "trying origin bar" dig.out.test$n | wc -l` |
||||
+ [ ${l:-0} -eq 2 ] || ret=1 |
||||
+ if grep "libidn_locale_to_utf8" dig.out.test$n > /dev/null |
||||
+ then |
||||
+ # libidn patch uses always using root origin, but print also name |
||||
+ grep '^foo\.$' < dig.out.test$n > /dev/null && ret=1 |
||||
+ else |
||||
+ grep "using root origin" < dig.out.test$n > /dev/null && ret=1 |
||||
+ fi |
||||
+ if [ $ret != 0 ]; then echo "I:failed"; fi |
||||
+ status=`expr $status + $ret` |
||||
+ |
||||
else |
||||
echo "W:$DIG is needed, so skipping these dig tests" |
||||
fi |
||||
@@ -131,7 +150,9 @@ if [ -n "${DELV}" -a -x "${DELV}" ] ; then |
||||
if [ $ret != 0 ]; then echo "I:failed"; fi |
||||
status=`expr $status + $ret` |
||||
|
||||
- exit $status |
||||
else |
||||
echo "W:${DELV:-delv} is not available, so skipping these delv tests" |
||||
fi |
||||
+ |
||||
+echo "I:exit status: $status" |
||||
+[ $status -eq 0 ] || exit 1 |
||||
-- |
||||
2.9.5 |
||||
|
@ -0,0 +1,32 @@
@@ -0,0 +1,32 @@
|
||||
From e3894cd3a92be79a64072835008ec589b17c601a Mon Sep 17 00:00:00 2001 |
||||
From: Evan Hunt <each@isc.org> |
||||
Date: Wed, 9 Apr 2014 17:17:53 -0700 |
||||
Subject: [PATCH] [v9_9] missing manpage install rule for dnssec-importkey |
||||
|
||||
(cherry picked from commit 540daf2887dfc813657c27408a2363ba719bf8d4) |
||||
--- |
||||
bin/dnssec/Makefile.in | 4 ++-- |
||||
1 file changed, 2 insertions(+), 2 deletions(-) |
||||
|
||||
diff --git a/bin/dnssec/Makefile.in b/bin/dnssec/Makefile.in |
||||
index 5966d16..58352d8 100644 |
||||
--- a/bin/dnssec/Makefile.in |
||||
+++ b/bin/dnssec/Makefile.in |
||||
@@ -55,12 +55,12 @@ SRCS = dnssec-dsfromkey.c dnssec-keyfromlabel.c dnssec-keygen.c \ |
||||
|
||||
MANPAGES = dnssec-dsfromkey.8 dnssec-keyfromlabel.8 dnssec-keygen.8 \ |
||||
dnssec-revoke.8 dnssec-settime.8 dnssec-signzone.8 \ |
||||
- dnssec-verify.8 |
||||
+ dnssec-verify.8 dnssec-importkey.8 |
||||
|
||||
HTMLPAGES = dnssec-dsfromkey.html dnssec-keyfromlabel.html \ |
||||
dnssec-keygen.html dnssec-revoke.html \ |
||||
dnssec-settime.html dnssec-signzone.html \ |
||||
- dnssec-verify.html |
||||
+ dnssec-verify.html dnssec-importkey.html |
||||
|
||||
MANOBJS = ${MANPAGES} ${HTMLPAGES} |
||||
|
||||
-- |
||||
2.9.4 |
||||
|
@ -0,0 +1,574 @@
@@ -0,0 +1,574 @@
|
||||
From 4827d4b06c2aaec913536143e4a26a0904d1fc58 Mon Sep 17 00:00:00 2001 |
||||
From: Mark Andrews <marka@isc.org> |
||||
Date: Fri, 7 Jul 2017 23:19:05 +1000 |
||||
Subject: [PATCH] 4647. [bug] Change 4643 broke verification of TSIG signed TCP |
||||
message sequences where not all the messages contain TSIG records. These may |
||||
be used in AXFR and IXFR responses. [RT #45509] |
||||
|
||||
(cherry picked from commit 58f0fb325bbd9258d06431281eb8fdea2b126305) |
||||
--- |
||||
lib/dns/tests/Makefile.in | 9 +- |
||||
lib/dns/tests/tsig_test.c | 489 ++++++++++++++++++++++++++++++++++++++++++++++ |
||||
lib/dns/tsig.c | 10 +- |
||||
3 files changed, 504 insertions(+), 4 deletions(-) |
||||
create mode 100644 lib/dns/tests/tsig_test.c |
||||
|
||||
diff --git a/lib/dns/tests/Makefile.in b/lib/dns/tests/Makefile.in |
||||
index 8d1b83e..023e60c 100644 |
||||
--- a/lib/dns/tests/Makefile.in |
||||
+++ b/lib/dns/tests/Makefile.in |
||||
@@ -39,13 +39,13 @@ LIBS = @LIBS@ @ATFLIBS@ |
||||
|
||||
OBJS = dnstest.@O@ |
||||
SRCS = dnstest.c gost_test.c master_test.c dbiterator_test.c time_test.c \ |
||||
- private_test.c update_test.c zonemgr_test.c zt_test.c \ |
||||
+ private_test.c tsig_test.c update_test.c zonemgr_test.c zt_test.c \ |
||||
dbdiff_test.c geoip_test.c dispatch_test.c nsec3_test.c \ |
||||
rdataset_test.c rdata_test.c |
||||
|
||||
SUBDIRS = |
||||
TARGETS = gost_test@EXEEXT@ master_test@EXEEXT@ dbiterator_test@EXEEXT@ time_test@EXEEXT@ \ |
||||
- private_test@EXEEXT@ update_test@EXEEXT@ zonemgr_test@EXEEXT@ \ |
||||
+ private_test@EXEEXT@ tsig_test@EXEEXT@ update_test@EXEEXT@ zonemgr_test@EXEEXT@ \ |
||||
zt_test@EXEEXT@ dbversion_test@EXEEXT@ dbdiff_test@EXEEXT@ geoip_test@EXEEXT@ \ |
||||
dispatch_test@EXEEXT@ nsec3_test@EXEEXT@ \ |
||||
rdataset_test@EXEEXT@ rdata_test@EXEEXT@ |
||||
@@ -134,6 +134,11 @@ geoip_test@EXEEXT@: geoip_test.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS} |
||||
geoip_test.@O@ dnstest.@O@ ${DNSLIBS} \ |
||||
${ISCLIBS} ${LIBS} |
||||
|
||||
+tsig_test@EXEEXT@: tsig_test.@O@ dnstest.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS} |
||||
+ ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \ |
||||
+ tsig_test.@O@ dnstest.@O@ ${DNSLIBS} \ |
||||
+ ${ISCLIBS} ${LIBS} |
||||
+ |
||||
unit:: |
||||
sh ${top_srcdir}/unit/unittest.sh |
||||
|
||||
diff --git a/lib/dns/tests/tsig_test.c b/lib/dns/tests/tsig_test.c |
||||
new file mode 100644 |
||||
index 0000000..956e4a0 |
||||
--- /dev/null |
||||
+++ b/lib/dns/tests/tsig_test.c |
||||
@@ -0,0 +1,489 @@ |
||||
+/* |
||||
+ * Copyright (C) 2017 Internet Systems Consortium, Inc. ("ISC") |
||||
+ * |
||||
+ * This Source Code Form is subject to the terms of the Mozilla Public |
||||
+ * License, v. 2.0. If a copy of the MPL was not distributed with this |
||||
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. |
||||
+ */ |
||||
+ |
||||
+/* ! \file */ |
||||
+ |
||||
+#include <config.h> |
||||
+#include <atf-c.h> |
||||
+#include <isc/mem.h> |
||||
+ |
||||
+#include <dns/rdatalist.h> |
||||
+#include <dns/rdataset.h> |
||||
+#include <dns/tsig.h> |
||||
+ |
||||
+#include "dnstest.h" |
||||
+ |
||||
+#ifdef HAVE_INTTYPES_H |
||||
+#include <inttypes.h> /* uintptr_t */ |
||||
+#endif |
||||
+ |
||||
+static int debug = 0; |
||||
+ |
||||
+static isc_result_t |
||||
+add_mac(dst_context_t *tsigctx, isc_buffer_t *buf) { |
||||
+ dns_rdata_any_tsig_t tsig; |
||||
+ dns_rdata_t rdata = DNS_RDATA_INIT; |
||||
+ isc_buffer_t databuf; |
||||
+ isc_region_t r; |
||||
+ isc_result_t result; |
||||
+ unsigned char tsigbuf[1024]; |
||||
+ |
||||
+ isc_buffer_usedregion(buf, &r); |
||||
+ dns_rdata_fromregion(&rdata, dns_rdataclass_any, |
||||
+ dns_rdatatype_tsig, &r); |
||||
+ isc_buffer_init(&databuf, tsigbuf, sizeof(tsigbuf)); |
||||
+ CHECK(dns_rdata_tostruct(&rdata, &tsig, NULL)); |
||||
+ isc_buffer_putuint16(&databuf, tsig.siglen); |
||||
+ isc_buffer_putmem(&databuf, tsig.signature, tsig.siglen); |
||||
+ isc_buffer_usedregion(&databuf, &r); |
||||
+ result = dst_context_adddata(tsigctx, &r); |
||||
+ dns_rdata_freestruct(&tsig); |
||||
+ cleanup: |
||||
+ return (result); |
||||
+} |
||||
+ |
||||
+static isc_result_t |
||||
+add_tsig(dst_context_t *tsigctx, dns_tsigkey_t *key, isc_buffer_t *target) { |
||||
+ dns_compress_t cctx; |
||||
+ dns_rdata_any_tsig_t tsig; |
||||
+ dns_rdata_t rdata = DNS_RDATA_INIT; |
||||
+ dns_rdatalist_t rdatalist; |
||||
+ dns_rdataset_t rdataset; |
||||
+ isc_buffer_t *dynbuf = NULL; |
||||
+ isc_buffer_t databuf; |
||||
+ isc_buffer_t sigbuf; |
||||
+ isc_region_t r; |
||||
+ isc_result_t result = ISC_R_SUCCESS; |
||||
+ isc_stdtime_t now; |
||||
+ unsigned char tsigbuf[1024]; |
||||
+ unsigned int count; |
||||
+ unsigned int sigsize; |
||||
+ isc_boolean_t invalidate_ctx = ISC_FALSE; |
||||
+ |
||||
+ CHECK(dns_compress_init(&cctx, -1, mctx)); |
||||
+ invalidate_ctx = ISC_TRUE; |
||||
+ |
||||
+ memset(&tsig, 0, sizeof(tsig)); |
||||
+ tsig.common.rdclass = dns_rdataclass_any; |
||||
+ tsig.common.rdtype = dns_rdatatype_tsig; |
||||
+ ISC_LINK_INIT(&tsig.common, link); |
||||
+ dns_name_init(&tsig.algorithm, NULL); |
||||
+ dns_name_clone(key->algorithm, &tsig.algorithm); |
||||
+ |
||||
+ isc_stdtime_get(&now); |
||||
+ tsig.timesigned = now; |
||||
+ tsig.fudge = DNS_TSIG_FUDGE; |
||||
+ tsig.originalid = 50; |
||||
+ tsig.error = dns_rcode_noerror; |
||||
+ tsig.otherlen = 0; |
||||
+ tsig.other = NULL; |
||||
+ |
||||
+ isc_buffer_init(&databuf, tsigbuf, sizeof(tsigbuf)); |
||||
+ isc_buffer_putuint48(&databuf, tsig.timesigned); |
||||
+ isc_buffer_putuint16(&databuf, tsig.fudge); |
||||
+ isc_buffer_usedregion(&databuf, &r); |
||||
+ CHECK(dst_context_adddata(tsigctx, &r)); |
||||
+ |
||||
+ CHECK(dst_key_sigsize(key->key, &sigsize)); |
||||
+ tsig.signature = (unsigned char *) isc_mem_get(mctx, sigsize); |
||||
+ if (tsig.signature == NULL) |
||||
+ CHECK(ISC_R_NOMEMORY); |
||||
+ isc_buffer_init(&sigbuf, tsig.signature, sigsize); |
||||
+ CHECK(dst_context_sign(tsigctx, &sigbuf)); |
||||
+ tsig.siglen = isc_buffer_usedlength(&sigbuf); |
||||
+ |
||||
+ CHECK(isc_buffer_allocate(mctx, &dynbuf, 512)); |
||||
+ CHECK(dns_rdata_fromstruct(&rdata, dns_rdataclass_any, |
||||
+ dns_rdatatype_tsig, &tsig, dynbuf)); |
||||
+ dns_rdatalist_init(&rdatalist); |
||||
+ rdatalist.rdclass = dns_rdataclass_any; |
||||
+ rdatalist.type = dns_rdatatype_tsig; |
||||
+ ISC_LIST_APPEND(rdatalist.rdata, &rdata, link); |
||||
+ dns_rdataset_init(&rdataset); |
||||
+ CHECK(dns_rdatalist_tordataset(&rdatalist, &rdataset)); |
||||
+ CHECK(dns_rdataset_towire(&rdataset, &key->name, &cctx, |
||||
+ target, 0, &count)); |
||||
+ |
||||
+ /* |
||||
+ * Fixup additional record count. |
||||
+ */ |
||||
+ ((unsigned char*)target->base)[11]++; |
||||
+ if (((unsigned char*)target->base)[11] == 0) |
||||
+ ((unsigned char*)target->base)[10]++; |
||||
+ cleanup: |
||||
+ if (tsig.signature != NULL) |
||||
+ isc_mem_put(mctx, tsig.signature, sigsize); |
||||
+ if (dynbuf != NULL) |
||||
+ isc_buffer_free(&dynbuf); |
||||
+ if (invalidate_ctx) |
||||
+ dns_compress_invalidate(&cctx); |
||||
+ |
||||
+ return (result); |
||||
+} |
||||
+ |
||||
+static void |
||||
+printmessage(dns_message_t *msg) { |
||||
+ isc_buffer_t b; |
||||
+ char *buf = NULL; |
||||
+ int len = 1024; |
||||
+ isc_result_t result = ISC_R_SUCCESS; |
||||
+ |
||||
+ if (!debug) |
||||
+ return; |
||||
+ |
||||
+ do { |
||||
+ buf = isc_mem_get(mctx, len); |
||||
+ if (buf == NULL) { |
||||
+ result = ISC_R_NOMEMORY; |
||||
+ break; |
||||
+ } |
||||
+ |
||||
+ isc_buffer_init(&b, buf, len); |
||||
+ result = dns_message_totext(msg, &dns_master_style_debug, |
||||
+ 0, &b); |
||||
+ if (result == ISC_R_NOSPACE) { |
||||
+ isc_mem_put(mctx, buf, len); |
||||
+ len *= 2; |
||||
+ } else if (result == ISC_R_SUCCESS) |
||||
+ printf("%.*s\n", (int) isc_buffer_usedlength(&b), buf); |
||||
+ } while (result == ISC_R_NOSPACE); |
||||
+ |
||||
+ if (buf != NULL) |
||||
+ isc_mem_put(mctx, buf, len); |
||||
+} |
||||
+ |
||||
+static void |
||||
+render(isc_buffer_t *buf, unsigned flags, dns_tsigkey_t *key, |
||||
+ isc_buffer_t **tsigin, isc_buffer_t **tsigout, |
||||
+ dst_context_t *tsigctx) |
||||
+{ |
||||
+ dns_message_t *msg = NULL; |
||||
+ dns_compress_t cctx; |
||||
+ isc_result_t result; |
||||
+ |
||||
+ result = dns_message_create(mctx, DNS_MESSAGE_INTENTRENDER, &msg); |
||||
+ ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS, |
||||
+ "dns_message_create: %s", |
||||
+ dns_result_totext(result)); |
||||
+ |
||||
+ msg->id = 50; |
||||
+ msg->rcode = dns_rcode_noerror; |
||||
+ msg->flags = flags; |
||||
+ |
||||
+ if (tsigin == tsigout) |
||||
+ msg->tcp_continuation = 1; |
||||
+ |
||||
+ if (tsigctx == NULL) { |
||||
+ result = dns_message_settsigkey(msg, key); |
||||
+ ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS, |
||||
+ "dns_message_settsigkey: %s", |
||||
+ dns_result_totext(result)); |
||||
+ |
||||
+ result = dns_message_setquerytsig(msg, *tsigin); |
||||
+ ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS, |
||||
+ "dns_message_setquerytsig: %s", |
||||
+ dns_result_totext(result)); |
||||
+ } |
||||
+ |
||||
+ result = dns_compress_init(&cctx, -1, mctx); |
||||
+ ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS, |
||||
+ "dns_compress_init: %s", |
||||
+ dns_result_totext(result)); |
||||
+ |
||||
+ result = dns_message_renderbegin(msg, &cctx, buf); |
||||
+ ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS, |
||||
+ "dns_message_renderbegin: %s", |
||||
+ dns_result_totext(result)); |
||||
+ |
||||
+ result = dns_message_renderend(msg); |
||||
+ ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS, |
||||
+ "dns_message_renderend: %s", |
||||
+ dns_result_totext(result)); |
||||
+ |
||||
+ if (tsigctx != NULL) { |
||||
+ isc_region_t r; |
||||
+ |
||||
+ isc_buffer_usedregion(buf, &r); |
||||
+ result = dst_context_adddata(tsigctx, &r); |
||||
+ } else { |
||||
+ if (tsigin == tsigout && *tsigin != NULL) |
||||
+ isc_buffer_free(tsigin); |
||||
+ |
||||
+ result = dns_message_getquerytsig(msg, mctx, tsigout); |
||||
+ ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS, |
||||
+ "dns_message_getquerytsig: %s", |
||||
+ dns_result_totext(result)); |
||||
+ } |
||||
+ |
||||
+ dns_compress_invalidate(&cctx); |
||||
+ dns_message_destroy(&msg); |
||||
+} |
||||
+ |
||||
+/* |
||||
+ * Check that a simulated three message TCP sequence where the first |
||||
+ * and last messages contain TSIGs but the intermediate message doesn't |
||||
+ * correctly verifies. |
||||
+ */ |
||||
+ATF_TC(tsig_tcp); |
||||
+ATF_TC_HEAD(tsig_tcp, tc) { |
||||
+ atf_tc_set_md_var(tc, "descr", "test tsig tcp-continuation validation"); |
||||
+} |
||||
+ATF_TC_BODY(tsig_tcp, tc) { |
||||
+ dns_name_t *tsigowner = NULL; |
||||
+ dns_fixedname_t fkeyname; |
||||
+ dns_message_t *msg = NULL; |
||||
+ dns_name_t *keyname; |
||||
+ dns_tsig_keyring_t *ring = NULL; |
||||
+ dns_tsigkey_t *key = NULL; |
||||
+ isc_buffer_t *buf = NULL; |
||||
+ isc_buffer_t *querytsig = NULL; |
||||
+ isc_buffer_t *tsigin = NULL; |
||||
+ isc_buffer_t *tsigout = NULL; |
||||
+ isc_result_t result; |
||||
+ unsigned char secret[16] = { 0 }; |
||||
+ dst_context_t *tsigctx = NULL; |
||||
+ dst_context_t *outctx = NULL; |
||||
+ |
||||
+ UNUSED(tc); |
||||
+ |
||||
+ result = dns_test_begin(stderr, ISC_FALSE); |
||||
+ ATF_REQUIRE_EQ(result, ISC_R_SUCCESS); |
||||
+ |
||||
+ /* isc_log_setdebuglevel(lctx, 99); */ |
||||
+ |
||||
+ dns_fixedname_init(&fkeyname); |
||||
+ keyname = dns_fixedname_name(&fkeyname); |
||||
+ result = dns_name_fromstring(keyname, "test", 0, NULL); |
||||
+ ATF_REQUIRE_EQ(result, ISC_R_SUCCESS); |
||||
+ |
||||
+ result = dns_tsigkeyring_create(mctx, &ring); |
||||
+ ATF_REQUIRE_EQ(result, ISC_R_SUCCESS); |
||||
+ |
||||
+ result = dns_tsigkey_create(keyname, dns_tsig_hmacsha256_name, |
||||
+ secret, sizeof(secret), ISC_FALSE, |
||||
+ NULL, 0, 0, mctx, ring, &key); |
||||
+ ATF_REQUIRE_EQ(result, ISC_R_SUCCESS); |
||||
+ |
||||
+ /* |
||||
+ * Create request. |
||||
+ */ |
||||
+ result = isc_buffer_allocate(mctx, &buf, 65535); |
||||
+ ATF_REQUIRE_EQ(result, ISC_R_SUCCESS); |
||||
+ render(buf, 0, key, &tsigout, &querytsig, NULL); |
||||
+ isc_buffer_free(&buf); |
||||
+ |
||||
+ /* |
||||
+ * Create response message 1. |
||||
+ */ |
||||
+ result = isc_buffer_allocate(mctx, &buf, 65535); |
||||
+ ATF_REQUIRE_EQ(result, ISC_R_SUCCESS); |
||||
+ render(buf, DNS_MESSAGEFLAG_QR, key, &querytsig, &tsigout, NULL); |
||||
+ |
||||
+ /* |
||||
+ * Process response message 1. |
||||
+ */ |
||||
+ result = dns_message_create(mctx, DNS_MESSAGE_INTENTPARSE, &msg); |
||||
+ ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS, |
||||
+ "dns_message_create: %s", |
||||
+ dns_result_totext(result)); |
||||
+ |
||||
+ result = dns_message_settsigkey(msg, key); |
||||
+ ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS, |
||||
+ "dns_message_settsigkey: %s", |
||||
+ dns_result_totext(result)); |
||||
+ |
||||
+ result = dns_message_parse(msg, buf, 0); |
||||
+ ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS, |
||||
+ "dns_message_parse: %s", |
||||
+ dns_result_totext(result)); |
||||
+ |
||||
+ printmessage(msg); |
||||
+ |
||||
+ result = dns_message_setquerytsig(msg, querytsig); |
||||
+ ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS, |
||||
+ "dns_message_setquerytsig: %s", |
||||
+ dns_result_totext(result)); |
||||
+ |
||||
+ result = dns_tsig_verify(buf, msg, NULL, NULL); |
||||
+ ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS, |
||||
+ "dns_tsig_verify: %s", |
||||
+ dns_result_totext(result)); |
||||
+ ATF_CHECK_EQ(msg->verified_sig, 1); |
||||
+ ATF_CHECK_EQ(msg->tsigstatus, dns_rcode_noerror); |
||||
+ |
||||
+ /* |
||||
+ * Check that we have a TSIG in the first message. |
||||
+ */ |
||||
+ ATF_REQUIRE(dns_message_gettsig(msg, &tsigowner) != NULL); |
||||
+ |
||||
+ result = dns_message_getquerytsig(msg, mctx, &tsigin); |
||||
+ ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS, |
||||
+ "dns_message_getquerytsig: %s", |
||||
+ dns_result_totext(result)); |
||||
+ |
||||
+ tsigctx = msg->tsigctx; |
||||
+ msg->tsigctx = NULL; |
||||
+ isc_buffer_free(&buf); |
||||
+ dns_message_destroy(&msg); |
||||
+ |
||||
+ result = dst_context_create2(key->key, mctx, DNS_LOGCATEGORY_DNSSEC, |
||||
+ &outctx); |
||||
+ ATF_REQUIRE_EQ(result, ISC_R_SUCCESS); |
||||
+ |
||||
+ /* |
||||
+ * Start digesting. |
||||
+ */ |
||||
+ result = add_mac(outctx, tsigout); |
||||
+ ATF_REQUIRE_EQ(result, ISC_R_SUCCESS); |
||||
+ |
||||
+ /* |
||||
+ * Create response message 2. |
||||
+ */ |
||||
+ result = isc_buffer_allocate(mctx, &buf, 65535); |
||||
+ ATF_REQUIRE_EQ(result, ISC_R_SUCCESS); |
||||
+ |
||||
+ ATF_REQUIRE_EQ(result, ISC_R_SUCCESS); |
||||
+ render(buf, DNS_MESSAGEFLAG_QR, key, &tsigout, &tsigout, outctx); |
||||
+ |
||||
+ /* |
||||
+ * Process response message 2. |
||||
+ */ |
||||
+ result = dns_message_create(mctx, DNS_MESSAGE_INTENTPARSE, &msg); |
||||
+ ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS, |
||||
+ "dns_message_create: %s", |
||||
+ dns_result_totext(result)); |
||||
+ |
||||
+ msg->tcp_continuation = 1; |
||||
+ msg->tsigctx = tsigctx; |
||||
+ tsigctx = NULL; |
||||
+ |
||||
+ result = dns_message_settsigkey(msg, key); |
||||
+ ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS, |
||||
+ "dns_message_settsigkey: %s", |
||||
+ dns_result_totext(result)); |
||||
+ |
||||
+ result = dns_message_parse(msg, buf, 0); |
||||
+ ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS, |
||||
+ "dns_message_parse: %s", |
||||
+ dns_result_totext(result)); |
||||
+ |
||||
+ printmessage(msg); |
||||
+ |
||||
+ result = dns_message_setquerytsig(msg, tsigin); |
||||
+ ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS, |
||||
+ "dns_message_setquerytsig: %s", |
||||
+ dns_result_totext(result)); |
||||
+ |
||||
+ result = dns_tsig_verify(buf, msg, NULL, NULL); |
||||
+ ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS, |
||||
+ "dns_tsig_verify: %s", |
||||
+ dns_result_totext(result)); |
||||
+ ATF_CHECK_EQ(msg->verified_sig, 1); |
||||
+ ATF_CHECK_EQ(msg->tsigstatus, dns_rcode_noerror); |
||||
+ |
||||
+ /* |
||||
+ * Check that we don't have a TSIG in the second message. |
||||
+ */ |
||||
+ tsigowner = NULL; |
||||
+ ATF_REQUIRE(dns_message_gettsig(msg, &tsigowner) == NULL); |
||||
+ |
||||
+ tsigctx = msg->tsigctx; |
||||
+ msg->tsigctx = NULL; |
||||
+ isc_buffer_free(&buf); |
||||
+ dns_message_destroy(&msg); |
||||
+ |
||||
+ /* |
||||
+ * Create response message 3. |
||||
+ */ |
||||
+ result = isc_buffer_allocate(mctx, &buf, 65535); |
||||
+ ATF_REQUIRE_EQ(result, ISC_R_SUCCESS); |
||||
+ render(buf, DNS_MESSAGEFLAG_QR, key, &tsigout, &tsigout, outctx); |
||||
+ |
||||
+ result = add_tsig(outctx, key, buf); |
||||
+ ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS, |
||||
+ "add_tsig: %s", |
||||
+ dns_result_totext(result)); |
||||
+ |
||||
+ /* |
||||
+ * Process response message 3. |
||||
+ */ |
||||
+ result = dns_message_create(mctx, DNS_MESSAGE_INTENTPARSE, &msg); |
||||
+ ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS, |
||||
+ "dns_message_create: %s", |
||||
+ dns_result_totext(result)); |
||||
+ |
||||
+ msg->tcp_continuation = 1; |
||||
+ msg->tsigctx = tsigctx; |
||||
+ tsigctx = NULL; |
||||
+ |
||||
+ result = dns_message_settsigkey(msg, key); |
||||
+ ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS, |
||||
+ "dns_message_settsigkey: %s", |
||||
+ dns_result_totext(result)); |
||||
+ |
||||
+ result = dns_message_parse(msg, buf, 0); |
||||
+ ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS, |
||||
+ "dns_message_parse: %s", |
||||
+ dns_result_totext(result)); |
||||
+ |
||||
+ printmessage(msg); |
||||
+ |
||||
+ /* |
||||
+ * Check that we had a TSIG in the third message. |
||||
+ */ |
||||
+ ATF_REQUIRE(dns_message_gettsig(msg, &tsigowner) != NULL); |
||||
+ |
||||
+ result = dns_message_setquerytsig(msg, tsigin); |
||||
+ ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS, |
||||
+ "dns_message_setquerytsig: %s", |
||||
+ dns_result_totext(result)); |
||||
+ |
||||
+ result = dns_tsig_verify(buf, msg, NULL, NULL); |
||||
+ ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS, |
||||
+ "dns_tsig_verify: %s", |
||||
+ dns_result_totext(result)); |
||||
+ ATF_CHECK_EQ(msg->verified_sig, 1); |
||||
+ ATF_CHECK_EQ(msg->tsigstatus, dns_rcode_noerror); |
||||
+ |
||||
+ if (tsigin != NULL) |
||||
+ isc_buffer_free(&tsigin); |
||||
+ |
||||
+ result = dns_message_getquerytsig(msg, mctx, &tsigin); |
||||
+ ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS, |
||||
+ "dns_message_getquerytsig: %s", |
||||
+ dns_result_totext(result)); |
||||
+ |
||||
+ isc_buffer_free(&buf); |
||||
+ dns_message_destroy(&msg); |
||||
+ |
||||
+ if (outctx != NULL) |
||||
+ dst_context_destroy(&outctx); |
||||
+ if (querytsig != NULL) |
||||
+ isc_buffer_free(&querytsig); |
||||
+ if (tsigin != NULL) |
||||
+ isc_buffer_free(&tsigin); |
||||
+ if (tsigout != NULL) |
||||
+ isc_buffer_free(&tsigout); |
||||
+ if (buf != NULL) |
||||
+ isc_buffer_free(&buf); |
||||
+ if (msg != NULL) |
||||
+ dns_message_destroy(&msg); |
||||
+ if (key != NULL) |
||||
+ dns_tsigkey_detach(&key); |
||||
+ if (ring != NULL) |
||||
+ dns_tsigkeyring_detach(&ring); |
||||
+ dns_test_end(); |
||||
+} |
||||
+ |
||||
+/* |
||||
+ * Main |
||||
+ */ |
||||
+ATF_TP_ADD_TCS(tp) { |
||||
+ ATF_TP_ADD_TC(tp, tsig_tcp); |
||||
+ return (atf_no_error()); |
||||
+} |
||||
diff --git a/lib/dns/tsig.c b/lib/dns/tsig.c |
||||
index 7b91d1e..325c901 100644 |
||||
--- a/lib/dns/tsig.c |
||||
+++ b/lib/dns/tsig.c |
||||
@@ -1535,7 +1535,7 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg, |
||||
msg->verified_sig = 1; |
||||
ret = ISC_R_SUCCESS; |
||||
|
||||
-cleanup_context: |
||||
+ cleanup_context: |
||||
if (ctx != NULL) |
||||
dst_context_destroy(&ctx); |
||||
|
||||
@@ -1859,8 +1859,14 @@ tsig_verify_tcp(isc_buffer_t *source, dns_message_t *msg) { |
||||
ret = ISC_R_SUCCESS; |
||||
|
||||
cleanup_context: |
||||
- if (msg->tsigctx != NULL) |
||||
+ /* |
||||
+ * Except in error conditions, don't destroy the DST context |
||||
+ * for unsigned messages; it is a running sum till the next |
||||
+ * TSIG signed message. |
||||
+ */ |
||||
+ if ((ret != ISC_R_SUCCESS || has_tsig) && msg->tsigctx != NULL) { |
||||
dst_context_destroy(&msg->tsigctx); |
||||
+ } |
||||
|
||||
cleanup_querystruct: |
||||
dns_rdata_freestruct(&querytsig); |
||||
-- |
||||
2.9.4 |
||||
|
File diff suppressed because it is too large
Load Diff
@ -0,0 +1,44 @@
@@ -0,0 +1,44 @@
|
||||
diff -up bind-9.9.2/bin/dig/dig.docbook.rh640538 bind-9.9.2/bin/dig/dig.docbook |
||||
--- bind-9.9.2/bin/dig/dig.docbook.rh640538 2012-09-27 02:35:19.000000000 +0200 |
||||
+++ bind-9.9.2/bin/dig/dig.docbook 2012-11-12 14:47:17.385334972 +0100 |
||||
@@ -961,6 +961,40 @@ dig +qr www.isc.org any -x 127.0.0.1 isc |
||||
</refsect1> |
||||
|
||||
<refsect1> |
||||
+ <title>RETURN CODES</title> |
||||
+ <para> |
||||
+ <command>Dig</command> return codes are: |
||||
+ <variablelist> |
||||
+ <varlistentry> |
||||
+ <listitem> |
||||
+ <para>0: Everything went well, including things like NXDOMAIN</para> |
||||
+ </listitem> |
||||
+ </varlistentry> |
||||
+ <varlistentry> |
||||
+ <listitem> |
||||
+ <para>1: Usage error</para> |
||||
+ </listitem> |
||||
+ </varlistentry> |
||||
+ <varlistentry> |
||||
+ <listitem> |
||||
+ <para>8: Couldn't open batch file</para> |
||||
+ </listitem> |
||||
+ </varlistentry> |
||||
+ <varlistentry> |
||||
+ <listitem> |
||||
+ <para>9: No reply from server</para> |
||||
+ </listitem> |
||||
+ </varlistentry> |
||||
+ <varlistentry> |
||||
+ <listitem> |
||||
+ <para>10: Internal error</para> |
||||
+ </listitem> |
||||
+ </varlistentry> |
||||
+ </variablelist> |
||||
+ </para> |
||||
+ </refsect1> |
||||
+ |
||||
+ <refsect1> |
||||
<title>FILES</title> |
||||
<para><filename>/etc/resolv.conf</filename> |
||||
</para> |
@ -0,0 +1,12 @@
@@ -0,0 +1,12 @@
|
||||
diff -up bind-9.9.3rc1/lib/dns/include/dns/Makefile.in.rrl bind-9.9.3rc1/lib/dns/include/dns/Makefile.in |
||||
--- bind-9.9.3rc1/lib/dns/include/dns/Makefile.in.rrl 2013-04-16 16:37:00.682186997 +0200 |
||||
+++ bind-9.9.3rc1/lib/dns/include/dns/Makefile.in 2013-04-16 16:37:08.387169682 +0200 |
||||
@@ -32,7 +32,7 @@ HEADERS = acl.h adb.h byaddr.h cache.h c |
||||
rootns.h rpz.h sdb.h sdlz.h secalg.h secproto.h soa.h ssu.h \ |
||||
tcpmsg.h time.h tkey.h tsig.h ttl.h types.h \ |
||||
validator.h version.h view.h xfrin.h zone.h zonekey.h zt.h \ |
||||
- forward.h |
||||
+ forward.h rrl.h |
||||
|
||||
GENHEADERS = enumclass.h enumtype.h rdatastruct.h |
||||
|
@ -0,0 +1,159 @@
@@ -0,0 +1,159 @@
|
||||
commit 524f5c0d8fa5bd55c98243be889528f48437a2f7 |
||||
Author: Mark Andrews <marka@isc.org> |
||||
Date: Fri Dec 9 12:50:18 2016 +1100 |
||||
|
||||
4530. [bug] Change 4489 broke the handling of CNAME -> DNAME |
||||
in responses resulting in SERVFAIL being returned. |
||||
[RT #43779] |
||||
|
||||
(cherry picked from commit 60cb462c56536f307fac4db8bdebf1247e2b5f66) |
||||
|
||||
diff --git a/bin/tests/system/dname/ns2/example.db b/bin/tests/system/dname/ns2/example.db |
||||
index ece3506..4289134 100644 |
||||
--- a/bin/tests/system/dname/ns2/example.db |
||||
+++ b/bin/tests/system/dname/ns2/example.db |
||||
@@ -29,4 +29,6 @@ a.short A 10.0.0.1 |
||||
short-dname DNAME short |
||||
a.longlonglonglonglonglonglonglonglonglonglonglonglong A 10.0.0.2 |
||||
long-dname DNAME longlonglonglonglonglonglonglonglonglonglonglonglong |
||||
-; |
||||
+cname CNAME a.cnamedname |
||||
+cnamedname DNAME target |
||||
+a.target A 10.0.0.3 |
||||
diff --git a/bin/tests/system/dname/tests.sh b/bin/tests/system/dname/tests.sh |
||||
index d22f54b..04bfcb2 100644 |
||||
--- a/bin/tests/system/dname/tests.sh |
||||
+++ b/bin/tests/system/dname/tests.sh |
||||
@@ -63,6 +63,24 @@ grep "status: YXDOMAIN" dig.out.ns4.toolong > /dev/null || ret=1 |
||||
if [ $ret != 0 ]; then echo "I:failed"; fi |
||||
status=`expr $status + $ret` |
||||
|
||||
+echo "I:checking cname to dname from authoritative" |
||||
+ret=0 |
||||
+$DIG cname.example @10.53.0.2 a -p 5300 > dig.out.ns2.cname |
||||
+grep "status: NOERROR" dig.out.ns2.cname > /dev/null || ret=1 |
||||
+if [ $ret != 0 ]; then echo "I:failed"; fi |
||||
+status=`expr $status + $ret` |
||||
+ |
||||
+echo "I:checking cname to dname from recursive" |
||||
+ret=0 |
||||
+$DIG cname.example @10.53.0.4 a -p 5300 > dig.out.ns4.cname |
||||
+grep "status: NOERROR" dig.out.ns4.cname > /dev/null || ret=1 |
||||
+grep '^cname.example.' dig.out.ns4.cname > /dev/null || ret=1 |
||||
+grep '^cnamedname.example.' dig.out.ns4.cname > /dev/null || ret=1 |
||||
+grep '^a.cnamedname.example.' dig.out.ns4.cname > /dev/null || ret=1 |
||||
+grep '^a.target.example.' dig.out.ns4.cname > /dev/null || ret=1 |
||||
+if [ $ret != 0 ]; then echo "I:failed"; fi |
||||
+status=`expr $status + $ret` |
||||
+ |
||||
echo "I:exit status: $status" |
||||
|
||||
exit $status |
||||
diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c |
||||
index 4bef072..de80928 100644 |
||||
--- a/lib/dns/resolver.c |
||||
+++ b/lib/dns/resolver.c |
||||
@@ -6463,7 +6463,7 @@ static isc_result_t |
||||
answer_response(fetchctx_t *fctx) { |
||||
isc_result_t result; |
||||
dns_message_t *message; |
||||
- dns_name_t *name, *dname = NULL, *qname, *dqname, tname, *ns_name; |
||||
+ dns_name_t *name, *dname = NULL, *qname, tname, *ns_name; |
||||
dns_name_t *cname = NULL; |
||||
dns_rdataset_t *rdataset, *ns_rdataset; |
||||
isc_boolean_t done, external, chaining, aa, found, want_chaining; |
||||
@@ -6471,7 +6471,7 @@ answer_response(fetchctx_t *fctx) { |
||||
isc_boolean_t wanted_chaining; |
||||
unsigned int aflag; |
||||
dns_rdatatype_t type; |
||||
- dns_fixedname_t fdname, fqname, fqdname; |
||||
+ dns_fixedname_t fdname, fqname; |
||||
dns_view_t *view; |
||||
|
||||
FCTXTRACE("answer_response"); |
||||
@@ -6495,13 +6495,12 @@ answer_response(fetchctx_t *fctx) { |
||||
aa = ISC_TRUE; |
||||
else |
||||
aa = ISC_FALSE; |
||||
- dqname = qname = &fctx->name; |
||||
+ qname = &fctx->name; |
||||
type = fctx->type; |
||||
view = fctx->res->view; |
||||
- dns_fixedname_init(&fqdname); |
||||
result = dns_message_firstname(message, DNS_SECTION_ANSWER); |
||||
while (!done && result == ISC_R_SUCCESS) { |
||||
- dns_namereln_t namereln, dnamereln; |
||||
+ dns_namereln_t namereln; |
||||
int order; |
||||
unsigned int nlabels; |
||||
|
||||
@@ -6509,8 +6508,6 @@ answer_response(fetchctx_t *fctx) { |
||||
dns_message_currentname(message, DNS_SECTION_ANSWER, &name); |
||||
external = ISC_TF(!dns_name_issubdomain(name, &fctx->domain)); |
||||
namereln = dns_name_fullcompare(qname, name, &order, &nlabels); |
||||
- dnamereln = dns_name_fullcompare(dqname, name, &order, |
||||
- &nlabels); |
||||
if (namereln == dns_namereln_equal) { |
||||
wanted_chaining = ISC_FALSE; |
||||
for (rdataset = ISC_LIST_HEAD(name->list); |
||||
@@ -6763,11 +6760,24 @@ answer_response(fetchctx_t *fctx) { |
||||
return (DNS_R_FORMERR); |
||||
} |
||||
|
||||
- if (dnamereln != dns_namereln_subdomain) { |
||||
+ /* |
||||
+ * If DNAME + synthetic CNAME then the |
||||
+ * namereln is dns_namereln_subdomain. |
||||
+ * |
||||
+ * If synthetic CNAME + DNAME then the |
||||
+ * namereln is dns_namereln_commonancestor |
||||
+ * and the number of label must match the |
||||
+ * DNAME. This order is not RFC compliant. |
||||
+ */ |
||||
+ |
||||
+ if (namereln != dns_namereln_subdomain && |
||||
+ (namereln != dns_namereln_commonancestor || |
||||
+ nlabels != dns_name_countlabels(name))) |
||||
+ { |
||||
char qbuf[DNS_NAME_FORMATSIZE]; |
||||
char obuf[DNS_NAME_FORMATSIZE]; |
||||
|
||||
- dns_name_format(dqname, qbuf, |
||||
+ dns_name_format(qname, qbuf, |
||||
sizeof(qbuf)); |
||||
dns_name_format(name, obuf, |
||||
sizeof(obuf)); |
||||
@@ -6782,7 +6792,7 @@ answer_response(fetchctx_t *fctx) { |
||||
want_chaining = ISC_TRUE; |
||||
POST(want_chaining); |
||||
aflag = DNS_RDATASETATTR_ANSWER; |
||||
- result = dname_target(rdataset, dqname, |
||||
+ result = dname_target(rdataset, qname, |
||||
nlabels, &fdname); |
||||
if (result == ISC_R_NOSPACE) { |
||||
/* |
||||
@@ -6799,13 +6809,11 @@ answer_response(fetchctx_t *fctx) { |
||||
|
||||
dname = dns_fixedname_name(&fdname); |
||||
if (!is_answertarget_allowed(view, |
||||
- dqname, rdataset->type, |
||||
+ qname, rdataset->type, |
||||
dname, &fctx->domain)) |
||||
{ |
||||
return (DNS_R_SERVFAIL); |
||||
} |
||||
- dqname = dns_fixedname_name(&fqdname); |
||||
- dns_name_copy(dname, dqname, NULL); |
||||
} else { |
||||
/* |
||||
* We've found a signature that |
||||
@@ -6951,7 +6959,8 @@ answer_response(fetchctx_t *fctx) { |
||||
rdataset->trust = |
||||
dns_trust_additional; |
||||
|
||||
- if (rdataset->type == dns_rdatatype_ns) { |
||||
+ if (rdataset->type == dns_rdatatype_ns) |
||||
+ { |
||||
ns_name = name; |
||||
ns_rdataset = rdataset; |
||||
} |
@ -0,0 +1,482 @@
@@ -0,0 +1,482 @@
|
||||
From e92ac3b83209ddc46ca9a3facd7edf1f14052edf Mon Sep 17 00:00:00 2001 |
||||
From: rpm-build <rpm-build> |
||||
Date: Wed, 8 Feb 2017 13:49:47 +0100 |
||||
Subject: [PATCH] 4558. [bug] Synthesised CNAME before matching DNAME |
||||
was still being cached when it should not have been. [RT |
||||
#44318] |
||||
|
||||
Fixes and tests last case fixed by CVE-2016-9147 |
||||
--- |
||||
bin/tests/system/dname/ans3/ans.pl | 95 +++++++++++++++++++++++ |
||||
bin/tests/system/dname/ns1/root.db | 5 +- |
||||
bin/tests/system/dname/tests.sh | 25 ++++++- |
||||
lib/dns/resolver.c | 150 +++++++++++++++++++++++++------------ |
||||
4 files changed, 225 insertions(+), 50 deletions(-) |
||||
create mode 100644 bin/tests/system/dname/ans3/ans.pl |
||||
|
||||
diff --git a/bin/tests/system/dname/ans3/ans.pl b/bin/tests/system/dname/ans3/ans.pl |
||||
new file mode 100644 |
||||
index 0000000..271fc7d |
||||
--- /dev/null |
||||
+++ b/bin/tests/system/dname/ans3/ans.pl |
||||
@@ -0,0 +1,95 @@ |
||||
+#!/usr/bin/env perl |
||||
+# |
||||
+# Copyright (C) 2014-2016 Internet Systems Consortium, Inc. ("ISC") |
||||
+# |
||||
+# This Source Code Form is subject to the terms of the Mozilla Public |
||||
+# License, v. 2.0. If a copy of the MPL was not distributed with this |
||||
+# file, You can obtain one at http://mozilla.org/MPL/2.0/. |
||||
+ |
||||
+use strict; |
||||
+use warnings; |
||||
+ |
||||
+use IO::File; |
||||
+use Getopt::Long; |
||||
+use Net::DNS::Nameserver; |
||||
+ |
||||
+my $pidf = new IO::File "ans.pid", "w" or die "cannot open pid file: $!"; |
||||
+print $pidf "$$\n" or die "cannot write pid file: $!"; |
||||
+$pidf->close or die "cannot close pid file: $!"; |
||||
+sub rmpid { unlink "ans.pid"; exit 1; }; |
||||
+ |
||||
+$SIG{INT} = \&rmpid; |
||||
+$SIG{TERM} = \&rmpid; |
||||
+ |
||||
+my $localaddr = "10.53.0.3"; |
||||
+my $localport = 5300; |
||||
+my $verbose = 0; |
||||
+my $ttl = 60; |
||||
+my $zone = "example.broken"; |
||||
+my $nsname = "ns3.$zone"; |
||||
+my $synth = "synth-then-dname.$zone"; |
||||
+my $synth2 = "synth2-then-dname.$zone"; |
||||
+ |
||||
+sub reply_handler { |
||||
+ my ($qname, $qclass, $qtype, $peerhost, $query, $conn) = @_; |
||||
+ my ($rcode, @ans, @auth, @add); |
||||
+ |
||||
+ print ("request: $qname/$qtype\n"); |
||||
+ STDOUT->flush(); |
||||
+ |
||||
+ if ($qname eq "example.broken") { |
||||
+ if ($qtype eq "SOA") { |
||||
+ my $rr = new Net::DNS::RR("$qname $ttl $qclass SOA . . 0 0 0 0 0"); |
||||
+ push @ans, $rr; |
||||
+ } elsif ($qtype eq "NS") { |
||||
+ my $rr = new Net::DNS::RR("$qname $ttl $qclass NS $nsname"); |
||||
+ push @ans, $rr; |
||||
+ $rr = new Net::DNS::RR("$nsname $ttl $qclass A $localaddr"); |
||||
+ push @add, $rr; |
||||
+ } |
||||
+ $rcode = "NOERROR"; |
||||
+ } elsif ($qname eq "cname-to-$synth2") { |
||||
+ my $rr = new Net::DNS::RR("$qname $ttl $qclass CNAME name.$synth2"); |
||||
+ push @ans, $rr; |
||||
+ $rr = new Net::DNS::RR("name.$synth2 $ttl $qclass CNAME name"); |
||||
+ push @ans, $rr; |
||||
+ $rr = new Net::DNS::RR("$synth2 $ttl $qclass DNAME ."); |
||||
+ push @ans, $rr; |
||||
+ $rcode = "NOERROR"; |
||||
+ } elsif ($qname eq "$synth" || $qname eq "$synth2") { |
||||
+ if ($qtype eq "DNAME") { |
||||
+ my $rr = new Net::DNS::RR("$qname $ttl $qclass DNAME ."); |
||||
+ push @ans, $rr; |
||||
+ } |
||||
+ $rcode = "NOERROR"; |
||||
+ } elsif ($qname eq "name.$synth") { |
||||
+ my $rr = new Net::DNS::RR("$qname $ttl $qclass CNAME name."); |
||||
+ push @ans, $rr; |
||||
+ $rr = new Net::DNS::RR("$synth $ttl $qclass DNAME ."); |
||||
+ push @ans, $rr; |
||||
+ $rcode = "NOERROR"; |
||||
+ } elsif ($qname eq "name.$synth2") { |
||||
+ my $rr = new Net::DNS::RR("$qname $ttl $qclass CNAME name."); |
||||
+ push @ans, $rr; |
||||
+ $rr = new Net::DNS::RR("$synth2 $ttl $qclass DNAME ."); |
||||
+ push @ans, $rr; |
||||
+ $rcode = "NOERROR"; |
||||
+ } else { |
||||
+ $rcode = "REFUSED"; |
||||
+ } |
||||
+ return ($rcode, \@ans, \@auth, \@add, { aa => 1 }); |
||||
+} |
||||
+ |
||||
+GetOptions( |
||||
+ 'port=i' => \$localport, |
||||
+ 'verbose!' => \$verbose, |
||||
+); |
||||
+ |
||||
+my $ns = Net::DNS::Nameserver->new( |
||||
+ LocalAddr => $localaddr, |
||||
+ LocalPort => $localport, |
||||
+ ReplyHandler => \&reply_handler, |
||||
+ Verbose => $verbose, |
||||
+); |
||||
+ |
||||
+$ns->main_loop; |
||||
diff --git a/bin/tests/system/dname/ns1/root.db b/bin/tests/system/dname/ns1/root.db |
||||
index 7049e77..2e84ae0 100644 |
||||
--- a/bin/tests/system/dname/ns1/root.db |
||||
+++ b/bin/tests/system/dname/ns1/root.db |
||||
@@ -12,8 +12,6 @@ |
||||
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR |
||||
; PERFORMANCE OF THIS SOFTWARE. |
||||
|
||||
-; $Id: root.db,v 1.2 2011/03/18 21:14:19 fdupont Exp $ |
||||
- |
||||
$TTL 300 |
||||
. IN SOA gson.nominum.com. a.root.servers.nil. ( |
||||
2000042100 ; serial |
||||
@@ -27,3 +25,6 @@ a.root-servers.nil. A 10.53.0.1 |
||||
|
||||
example. NS ns2.example. |
||||
ns2.example. A 10.53.0.2 |
||||
+ |
||||
+example.broken. NS ns3.example.broken. |
||||
+ns3.example.broken. A 10.53.0.3 |
||||
diff --git a/bin/tests/system/dname/tests.sh b/bin/tests/system/dname/tests.sh |
||||
index 04bfcb2..6dc9e88 100644 |
||||
--- a/bin/tests/system/dname/tests.sh |
||||
+++ b/bin/tests/system/dname/tests.sh |
||||
@@ -20,6 +20,7 @@ SYSTEMTESTTOP=.. |
||||
. $SYSTEMTESTTOP/conf.sh |
||||
|
||||
status=0 |
||||
+n=0 |
||||
|
||||
echo "I:checking short dname from authoritative" |
||||
ret=0 |
||||
@@ -81,6 +82,26 @@ grep '^a.target.example.' dig.out.ns4.cname > /dev/null || ret=1 |
||||
if [ $ret != 0 ]; then echo "I:failed"; fi |
||||
status=`expr $status + $ret` |
||||
|
||||
-echo "I:exit status: $status" |
||||
+n=`expr $n + 1` |
||||
+echo "I:checking dname is returned with synthesized cname before dname ($n)" |
||||
+ret=0 |
||||
+$DIG @10.53.0.4 -p 5300 name.synth-then-dname.example.broken A > dig.out.test$n |
||||
+grep "status: NXDOMAIN" dig.out.test$n > /dev/null || ret=1 |
||||
+grep '^name.synth-then-dname\.example\.broken\..*CNAME.*name.$' dig.out.test$n > /dev/null || ret=1 |
||||
+grep '^synth-then-dname\.example\.broken\..*DNAME.*\.$' dig.out.test$n > /dev/null || ret=1 |
||||
+if [ $ret != 0 ]; then echo "I:failed"; fi |
||||
+status=`expr $status + $ret` |
||||
|
||||
-exit $status |
||||
+n=`expr $n + 1` |
||||
+echo "I:checking dname is returned with cname to synthesized cname before dname ($n)" |
||||
+ret=0 |
||||
+$DIG @10.53.0.4 -p 5300 cname-to-synth2-then-dname.example.broken A > dig.out.test$n |
||||
+grep "status: NXDOMAIN" dig.out.test$n > /dev/null || ret=1 |
||||
+grep '^cname-to-synth2-then-dname\.example\.broken\..*CNAME.*name\.synth2-then-dname\.example\.broken.$' dig.out.test$n > /dev/null || ret=1 |
||||
+grep '^name\.synth2-then-dname\.example\.broken\..*CNAME.*name.$' dig.out.test$n > /dev/null || ret=1 |
||||
+grep '^synth2-then-dname\.example\.broken\..*DNAME.*\.$' dig.out.test$n > /dev/null || ret=1 |
||||
+if [ $ret != 0 ]; then echo "I:failed"; fi |
||||
+status=`expr $status + $ret` |
||||
+ |
||||
+echo "I:exit status: $status" |
||||
+[ $status -eq 0 ] || exit 1 |
||||
diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c |
||||
index bfd4dcb..c3607fa 100644 |
||||
--- a/lib/dns/resolver.c |
||||
+++ b/lib/dns/resolver.c |
||||
@@ -5406,9 +5406,13 @@ cname_target(dns_rdataset_t *rdataset, dns_name_t *tname) { |
||||
return (ISC_R_SUCCESS); |
||||
} |
||||
|
||||
+/*% |
||||
+ * Construct the synthesised CNAME from the existing QNAME and |
||||
+ * the DNAME RR and store it in 'target'. |
||||
+ */ |
||||
static inline isc_result_t |
||||
dname_target(dns_rdataset_t *rdataset, dns_name_t *qname, |
||||
- unsigned int nlabels, dns_fixedname_t *fixeddname) |
||||
+ unsigned int nlabels, dns_name_t *target) |
||||
{ |
||||
isc_result_t result; |
||||
dns_rdata_t rdata = DNS_RDATA_INIT; |
||||
@@ -5428,14 +5432,33 @@ dname_target(dns_rdataset_t *rdataset, dns_name_t *qname, |
||||
|
||||
dns_fixedname_init(&prefix); |
||||
dns_name_split(qname, nlabels, dns_fixedname_name(&prefix), NULL); |
||||
- dns_fixedname_init(fixeddname); |
||||
result = dns_name_concatenate(dns_fixedname_name(&prefix), |
||||
- &dname.dname, |
||||
- dns_fixedname_name(fixeddname), NULL); |
||||
+ &dname.dname, target, NULL); |
||||
dns_rdata_freestruct(&dname); |
||||
return (result); |
||||
} |
||||
|
||||
+/*% |
||||
+ * Check if it was possible to construct 'qname' from 'lastcname' |
||||
+ * and 'rdataset'. |
||||
+ */ |
||||
+static inline isc_result_t |
||||
+fromdname(dns_rdataset_t *rdataset, dns_name_t *lastcname, |
||||
+ unsigned int nlabels, const dns_name_t *qname) |
||||
+{ |
||||
+ dns_fixedname_t fixed; |
||||
+ isc_result_t result; |
||||
+ dns_name_t *target; |
||||
+ |
||||
+ dns_fixedname_init(&fixed); |
||||
+ target = dns_fixedname_name(&fixed); |
||||
+ result = dname_target(rdataset, lastcname, nlabels, target); |
||||
+ if (result != ISC_R_SUCCESS || !dns_name_equal(qname, target)) |
||||
+ return (ISC_R_NOTFOUND); |
||||
+ |
||||
+ return (ISC_R_SUCCESS); |
||||
+} |
||||
+ |
||||
static isc_boolean_t |
||||
is_answeraddress_allowed(dns_view_t *view, dns_name_t *name, |
||||
dns_rdataset_t *rdataset) |
||||
@@ -6039,12 +6062,12 @@ answer_response(fetchctx_t *fctx) { |
||||
isc_result_t result; |
||||
dns_message_t *message; |
||||
dns_name_t *name, *dname = NULL, *qname, tname, *ns_name; |
||||
- dns_name_t *cname = NULL; |
||||
+ dns_name_t *cname = NULL, *lastcname = NULL; |
||||
dns_rdataset_t *rdataset, *ns_rdataset; |
||||
- isc_boolean_t done, external, chaining, aa, found, want_chaining; |
||||
+ isc_boolean_t done, external, aa, found, want_chaining; |
||||
isc_boolean_t have_answer, found_cname, found_dname, found_type; |
||||
isc_boolean_t wanted_chaining; |
||||
- unsigned int aflag; |
||||
+ unsigned int aflag, chaining; |
||||
dns_rdatatype_t type; |
||||
dns_fixedname_t fdname, fqname; |
||||
dns_view_t *view; |
||||
@@ -6062,9 +6085,9 @@ answer_response(fetchctx_t *fctx) { |
||||
found_cname = ISC_FALSE; |
||||
found_dname = ISC_FALSE; |
||||
found_type = ISC_FALSE; |
||||
- chaining = ISC_FALSE; |
||||
have_answer = ISC_FALSE; |
||||
want_chaining = ISC_FALSE; |
||||
+ chaining = 0; |
||||
POST(want_chaining); |
||||
if ((message->flags & DNS_MESSAGEFLAG_AA) != 0) |
||||
aa = ISC_TRUE; |
||||
@@ -6075,14 +6098,15 @@ answer_response(fetchctx_t *fctx) { |
||||
view = fctx->res->view; |
||||
result = dns_message_firstname(message, DNS_SECTION_ANSWER); |
||||
while (!done && result == ISC_R_SUCCESS) { |
||||
- dns_namereln_t namereln; |
||||
- int order; |
||||
- unsigned int nlabels; |
||||
+ dns_namereln_t namereln, lastreln; |
||||
+ int order, lastorder; |
||||
+ unsigned int nlabels, lastnlabels; |
||||
|
||||
name = NULL; |
||||
dns_message_currentname(message, DNS_SECTION_ANSWER, &name); |
||||
external = ISC_TF(!dns_name_issubdomain(name, &fctx->domain)); |
||||
namereln = dns_name_fullcompare(qname, name, &order, &nlabels); |
||||
+ |
||||
if (namereln == dns_namereln_equal) { |
||||
wanted_chaining = ISC_FALSE; |
||||
for (rdataset = ISC_LIST_HEAD(name->list); |
||||
@@ -6188,6 +6212,7 @@ answer_response(fetchctx_t *fctx) { |
||||
&fctx->domain)) { |
||||
return (DNS_R_SERVFAIL); |
||||
} |
||||
+ lastcname = name; |
||||
} else if (rdataset->type == dns_rdatatype_rrsig |
||||
&& rdataset->covers == |
||||
dns_rdatatype_cname |
||||
@@ -6211,7 +6236,7 @@ answer_response(fetchctx_t *fctx) { |
||||
rdataset->attributes |= |
||||
DNS_RDATASETATTR_CACHE; |
||||
rdataset->trust = dns_trust_answer; |
||||
- if (!chaining) { |
||||
+ if (chaining == 0) { |
||||
/* |
||||
* This data is "the" answer |
||||
* to our question only if |
||||
@@ -6288,10 +6313,21 @@ answer_response(fetchctx_t *fctx) { |
||||
* cause us to ignore the signatures of |
||||
* CNAMEs. |
||||
*/ |
||||
- if (wanted_chaining) |
||||
- chaining = ISC_TRUE; |
||||
+ if (wanted_chaining && chaining < 2U) |
||||
+ chaining++; |
||||
} else { |
||||
dns_rdataset_t *dnameset = NULL; |
||||
+ isc_boolean_t synthcname = ISC_FALSE; |
||||
+ |
||||
+ if (lastcname != NULL) { |
||||
+ lastreln = dns_name_fullcompare(lastcname, |
||||
+ name, |
||||
+ &lastorder, |
||||
+ &lastnlabels); |
||||
+ if (lastreln == dns_namereln_subdomain && |
||||
+ lastnlabels == dns_name_countlabels(name)) |
||||
+ synthcname = ISC_TRUE; |
||||
+ } |
||||
|
||||
/* |
||||
* Look for a DNAME (or its SIG). Anything else is |
||||
@@ -6320,7 +6356,7 @@ answer_response(fetchctx_t *fctx) { |
||||
* If we're not chaining, then the DNAME and |
||||
* its signature should not be external. |
||||
*/ |
||||
- if (!chaining && external) { |
||||
+ if (chaining == 0 && external) { |
||||
char qbuf[DNS_NAME_FORMATSIZE]; |
||||
char obuf[DNS_NAME_FORMATSIZE]; |
||||
|
||||
@@ -6338,16 +6374,9 @@ answer_response(fetchctx_t *fctx) { |
||||
/* |
||||
* If DNAME + synthetic CNAME then the |
||||
* namereln is dns_namereln_subdomain. |
||||
- * |
||||
- * If synthetic CNAME + DNAME then the |
||||
- * namereln is dns_namereln_commonancestor |
||||
- * and the number of label must match the |
||||
- * DNAME. This order is not RFC compliant. |
||||
*/ |
||||
- |
||||
if (namereln != dns_namereln_subdomain && |
||||
- (namereln != dns_namereln_commonancestor || |
||||
- nlabels != dns_name_countlabels(name))) |
||||
+ !synthcname) |
||||
{ |
||||
char qbuf[DNS_NAME_FORMATSIZE]; |
||||
char obuf[DNS_NAME_FORMATSIZE]; |
||||
@@ -6367,8 +6396,19 @@ answer_response(fetchctx_t *fctx) { |
||||
want_chaining = ISC_TRUE; |
||||
POST(want_chaining); |
||||
aflag = DNS_RDATASETATTR_ANSWER; |
||||
- result = dname_target(rdataset, qname, |
||||
- nlabels, &fdname); |
||||
+ dns_fixedname_init(&fdname); |
||||
+ dname = dns_fixedname_name(&fdname); |
||||
+ if (synthcname) { |
||||
+ result = fromdname(rdataset, |
||||
+ lastcname, |
||||
+ lastnlabels, |
||||
+ qname); |
||||
+ } else { |
||||
+ result = dname_target(rdataset, |
||||
+ qname, |
||||
+ nlabels, |
||||
+ dname); |
||||
+ } |
||||
if (result == ISC_R_NOSPACE) { |
||||
/* |
||||
* We can't construct the |
||||
@@ -6382,8 +6422,8 @@ answer_response(fetchctx_t *fctx) { |
||||
else |
||||
dnameset = rdataset; |
||||
|
||||
- dname = dns_fixedname_name(&fdname); |
||||
- if (!is_answertarget_allowed(view, |
||||
+ if (!synthcname && |
||||
+ !is_answertarget_allowed(view, |
||||
qname, rdataset->type, |
||||
dname, &fctx->domain)) |
||||
{ |
||||
@@ -6404,7 +6444,13 @@ answer_response(fetchctx_t *fctx) { |
||||
name->attributes |= DNS_NAMEATTR_CACHE; |
||||
rdataset->attributes |= DNS_RDATASETATTR_CACHE; |
||||
rdataset->trust = dns_trust_answer; |
||||
- if (!chaining) { |
||||
+ /* |
||||
+ * If we are not chaining or the first CNAME |
||||
+ * is a synthesised CNAME before the DNAME. |
||||
+ */ |
||||
+ if ((chaining == 0) || |
||||
+ (chaining == 1U && synthcname)) |
||||
+ { |
||||
/* |
||||
* This data is "the" answer to |
||||
* our question only if we're |
||||
@@ -6414,9 +6460,12 @@ answer_response(fetchctx_t *fctx) { |
||||
if (aflag == DNS_RDATASETATTR_ANSWER) { |
||||
have_answer = ISC_TRUE; |
||||
found_dname = ISC_TRUE; |
||||
- if (cname != NULL) |
||||
+ if (cname != NULL && |
||||
+ synthcname) |
||||
+ { |
||||
cname->attributes &= |
||||
~DNS_NAMEATTR_ANSWER; |
||||
+ } |
||||
name->attributes |= |
||||
DNS_NAMEATTR_ANSWER; |
||||
} |
||||
@@ -6434,26 +6483,35 @@ answer_response(fetchctx_t *fctx) { |
||||
* DNAME chaining. |
||||
*/ |
||||
if (dnameset != NULL) { |
||||
- /* |
||||
- * Copy the dname into the qname fixed name. |
||||
- * |
||||
- * Although we check for failure of the copy |
||||
- * operation, in practice it should never fail |
||||
- * since we already know that the result fits |
||||
- * in a fixedname. |
||||
- */ |
||||
- dns_fixedname_init(&fqname); |
||||
- qname = dns_fixedname_name(&fqname); |
||||
- result = dns_name_copy(dname, qname, NULL); |
||||
- if (result != ISC_R_SUCCESS) |
||||
- return (result); |
||||
+ if (!synthcname) { |
||||
+ /* |
||||
+ * Copy the dname into the qname fixed |
||||
+ * name. |
||||
+ * |
||||
+ * Although we check for failure of the |
||||
+ * copy operation, in practice it |
||||
+ * should never fail since we already |
||||
+ * know that the result fits in a |
||||
+ * fixedname. |
||||
+ */ |
||||
+ dns_fixedname_init(&fqname); |
||||
+ qname = dns_fixedname_name(&fqname); |
||||
+ result = dns_name_copy(dname, qname, |
||||
+ NULL); |
||||
+ if (result != ISC_R_SUCCESS) |
||||
+ return (result); |
||||
+ } |
||||
wanted_chaining = ISC_TRUE; |
||||
name->attributes |= DNS_NAMEATTR_CHAINING; |
||||
dnameset->attributes |= |
||||
DNS_RDATASETATTR_CHAINING; |
||||
} |
||||
- if (wanted_chaining) |
||||
- chaining = ISC_TRUE; |
||||
+ /* |
||||
+ * Ensure that we can't ever get chaining == 1 |
||||
+ * above if we have processed a DNAME. |
||||
+ */ |
||||
+ if (wanted_chaining && chaining < 2U) |
||||
+ chaining += 2; |
||||
} |
||||
result = dns_message_nextname(message, DNS_SECTION_ANSWER); |
||||
} |
||||
@@ -6478,7 +6536,7 @@ answer_response(fetchctx_t *fctx) { |
||||
/* |
||||
* Did chaining end before we got the final answer? |
||||
*/ |
||||
- if (chaining) { |
||||
+ if (chaining != 0) { |
||||
/* |
||||
* Yes. This may be a negative reply, so hand off |
||||
* authority section processing to the noanswer code. |
||||
@@ -6527,7 +6585,7 @@ answer_response(fetchctx_t *fctx) { |
||||
DNS_NAMEATTR_CACHE; |
||||
rdataset->attributes |= |
||||
DNS_RDATASETATTR_CACHE; |
||||
- if (aa && !chaining) |
||||
+ if (aa && chaining == 0) |
||||
rdataset->trust = |
||||
dns_trust_authauthority; |
||||
else |
||||
-- |
||||
2.9.3 |
||||
|
Binary file not shown.
@ -0,0 +1,148 @@
@@ -0,0 +1,148 @@
|
||||
# A schema for storing DNS zones in LDAP |
||||
# |
||||
attributetype ( 1.3.6.1.4.1.2428.20.0.0 NAME 'dNSTTL' |
||||
DESC 'An integer denoting time to live' |
||||
EQUALITY integerMatch |
||||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 ) |
||||
|
||||
attributetype ( 1.3.6.1.4.1.2428.20.0.1 NAME 'dNSClass' |
||||
DESC 'The class of a resource record' |
||||
EQUALITY caseIgnoreIA5Match |
||||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) |
||||
|
||||
attributetype ( 1.3.6.1.4.1.2428.20.0.2 NAME 'zoneName' |
||||
DESC 'The name of a zone, i.e. the name of the highest node in the zone' |
||||
EQUALITY caseIgnoreIA5Match |
||||
SUBSTR caseIgnoreIA5SubstringsMatch |
||||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) |
||||
|
||||
attributetype ( 1.3.6.1.4.1.2428.20.0.3 NAME 'relativeDomainName' |
||||
DESC 'The starting labels of a domain name' |
||||
EQUALITY caseIgnoreIA5Match |
||||
SUBSTR caseIgnoreIA5SubstringsMatch |
||||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) |
||||
|
||||
attributetype ( 1.3.6.1.4.1.2428.20.1.12 NAME 'pTRRecord' |
||||
DESC 'domain name pointer, RFC 1035' |
||||
EQUALITY caseIgnoreIA5Match |
||||
SUBSTR caseIgnoreIA5SubstringsMatch |
||||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) |
||||
|
||||
attributetype ( 1.3.6.1.4.1.2428.20.1.13 NAME 'hInfoRecord' |
||||
DESC 'host information, RFC 1035' |
||||
EQUALITY caseIgnoreIA5Match |
||||
SUBSTR caseIgnoreIA5SubstringsMatch |
||||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) |
||||
|
||||
attributetype ( 1.3.6.1.4.1.2428.20.1.14 NAME 'mInfoRecord' |
||||
DESC 'mailbox or mail list information, RFC 1035' |
||||
EQUALITY caseIgnoreIA5Match |
||||
SUBSTR caseIgnoreIA5SubstringsMatch |
||||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) |
||||
|
||||
attributetype ( 1.3.6.1.4.1.2428.20.1.16 NAME 'tXTRecord' |
||||
DESC 'text string, RFC 1035' |
||||
EQUALITY caseIgnoreIA5Match |
||||
SUBSTR caseIgnoreIA5SubstringsMatch |
||||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) |
||||
|
||||
attributetype ( 1.3.6.1.4.1.2428.20.1.18 NAME 'aFSDBRecord' |
||||
DESC 'for AFS Data Base location, RFC 1183' |
||||
EQUALITY caseIgnoreIA5Match |
||||
SUBSTR caseIgnoreIA5SubstringsMatch |
||||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) |
||||
|
||||
attributetype ( 1.3.6.1.4.1.2428.20.1.24 NAME 'SigRecord' |
||||
DESC 'Signature, RFC 2535' |
||||
EQUALITY caseIgnoreIA5Match |
||||
SUBSTR caseIgnoreIA5SubstringsMatch |
||||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) |
||||
|
||||
attributetype ( 1.3.6.1.4.1.2428.20.1.25 NAME 'KeyRecord' |
||||
DESC 'Key, RFC 2535' |
||||
EQUALITY caseIgnoreIA5Match |
||||
SUBSTR caseIgnoreIA5SubstringsMatch |
||||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) |
||||
|
||||
attributetype ( 1.3.6.1.4.1.2428.20.1.28 NAME 'aAAARecord' |
||||
DESC 'IPv6 address, RFC 1886' |
||||
EQUALITY caseIgnoreIA5Match |
||||
SUBSTR caseIgnoreIA5SubstringsMatch |
||||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) |
||||
|
||||
attributetype ( 1.3.6.1.4.1.2428.20.1.29 NAME 'LocRecord' |
||||
DESC 'Location, RFC 1876' |
||||
EQUALITY caseIgnoreIA5Match |
||||
SUBSTR caseIgnoreIA5SubstringsMatch |
||||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) |
||||
|
||||
attributetype ( 1.3.6.1.4.1.2428.20.1.30 NAME 'nXTRecord' |
||||
DESC 'non-existant, RFC 2535' |
||||
EQUALITY caseIgnoreIA5Match |
||||
SUBSTR caseIgnoreIA5SubstringsMatch |
||||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) |
||||
|
||||
attributetype ( 1.3.6.1.4.1.2428.20.1.33 NAME 'sRVRecord' |
||||
DESC 'service location, RFC 2782' |
||||
EQUALITY caseIgnoreIA5Match |
||||
SUBSTR caseIgnoreIA5SubstringsMatch |
||||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) |
||||
|
||||
attributetype ( 1.3.6.1.4.1.2428.20.1.35 NAME 'nAPTRRecord' |
||||
DESC 'Naming Authority Pointer, RFC 2915' |
||||
EQUALITY caseIgnoreIA5Match |
||||
SUBSTR caseIgnoreIA5SubstringsMatch |
||||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) |
||||
|
||||
attributetype ( 1.3.6.1.4.1.2428.20.1.36 NAME 'kXRecord' |
||||
DESC 'Key Exchange Delegation, RFC 2230' |
||||
EQUALITY caseIgnoreIA5Match |
||||
SUBSTR caseIgnoreIA5SubstringsMatch |
||||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) |
||||
|
||||
attributetype ( 1.3.6.1.4.1.2428.20.1.37 NAME 'certRecord' |
||||
DESC 'certificate, RFC 2538' |
||||
EQUALITY caseIgnoreIA5Match |
||||
SUBSTR caseIgnoreIA5SubstringsMatch |
||||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) |
||||
|
||||
attributetype ( 1.3.6.1.4.1.2428.20.1.38 NAME 'a6Record' |
||||
DESC 'A6 Record Type, RFC 2874' |
||||
EQUALITY caseIgnoreIA5Match |
||||
SUBSTR caseIgnoreIA5SubstringsMatch |
||||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) |
||||
|
||||
attributetype ( 1.3.6.1.4.1.2428.20.1.39 NAME 'dNameRecord' |
||||
DESC 'Non-Terminal DNS Name Redirection, RFC 2672' |
||||
EQUALITY caseIgnoreIA5Match |
||||
SUBSTR caseIgnoreIA5SubstringsMatch |
||||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) |
||||
|
||||
attributetype ( 1.3.6.1.4.1.2428.20.1.43 NAME 'dSRecord' |
||||
DESC 'Delegation Signer, RFC 3658' |
||||
EQUALITY caseIgnoreIA5Match |
||||
SUBSTR caseIgnoreIA5SubstringsMatch |
||||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) |
||||
|
||||
attributetype ( 1.3.6.1.4.1.2428.20.1.46 NAME 'rRSIGRecord' |
||||
DESC 'RRSIG, RFC 3755' |
||||
EQUALITY caseIgnoreIA5Match |
||||
SUBSTR caseIgnoreIA5SubstringsMatch |
||||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) |
||||
|
||||
attributetype ( 1.3.6.1.4.1.2428.20.1.47 NAME 'nSECRecord' |
||||
DESC 'NSEC, RFC 3755' |
||||
EQUALITY caseIgnoreIA5Match |
||||
SUBSTR caseIgnoreIA5SubstringsMatch |
||||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) |
||||
|
||||
objectclass ( 1.3.6.1.4.1.2428.20.3 NAME 'dNSZone' |
||||
SUP top STRUCTURAL |
||||
MUST ( zoneName $ relativeDomainName ) |
||||
MAY ( DNSTTL $ DNSClass $ |
||||
ARecord $ MDRecord $ MXRecord $ NSRecord $ |
||||
SOARecord $ CNAMERecord $ PTRRecord $ HINFORecord $ |
||||
MINFORecord $ TXTRecord $ SIGRecord $ KEYRecord $ |
||||
AAAARecord $ LOCRecord $ NXTRecord $ SRVRecord $ |
||||
NAPTRRecord $ KXRecord $ CERTRecord $ A6Record $ |
||||
DNAMERecord ) ) |
@ -0,0 +1,20 @@
@@ -0,0 +1,20 @@
|
||||
#!/bin/bash |
||||
|
||||
. /etc/rc.d/init.d/functions |
||||
|
||||
# This script generates /etc/rndc.key if doesn't exist AND if there is no rndc.conf |
||||
|
||||
if [ ! -s /etc/rndc.key -a ! -s /etc/rndc.conf ]; then |
||||
echo -n $"Generating /etc/rndc.key:" |
||||
if /usr/sbin/rndc-confgen -a -A hmac-sha256 -r /dev/urandom > /dev/null 2>&1 |
||||
then |
||||
chmod 640 /etc/rndc.key |
||||
chown root:named /etc/rndc.key |
||||
[ -x /sbin/restorecon ] && /sbin/restorecon /etc/rndc.key |
||||
success $"/etc/rndc.key generation" |
||||
echo |
||||
else |
||||
failure $"/etc/rndc.key generation" |
||||
echo |
||||
fi |
||||
fi |
Binary file not shown.
@ -0,0 +1,41 @@
@@ -0,0 +1,41 @@
|
||||
.\" Copyright (C) 2004, 2005 Stig Venaas <venaas@uninett.no> |
||||
.\" |
||||
.\" Permission to use, copy, modify, and distribute this software for any |
||||
.\" purpose with or without fee is hereby granted, provided that the above |
||||
.\" copyright notice and this permission notice appear in all copies. |
||||
.\" Manpage written by Jan Gorig |
||||
.TH ldap2zone 1 "15 March 2010" "BIND9" |
||||
.SH NAME |
||||
ldap2zone - Creates zone file from LDAP dnszone information |
||||
.SH SYNOPSIS |
||||
.B ldap2zone zone-name LDAP-URL default-ttl [serial] |
||||
.SH DESCRIPTION |
||||
ldap2zone is a tool that reads info for a zone from LDAP and constructs a standard plain ascii zone file that is written to the standard output. The LDAP information has to be stored using the dnszone schema. The schema is used by BIND with LDAP back-end. |
||||
|
||||
\fBzone-name\fR |
||||
.RS 4 |
||||
Name of the zone, eg "mydomain.net." |
||||
.RE |
||||
.PP |
||||
\fBLDAP-URL\fR |
||||
.RS 4 |
||||
LDAP URL to dnszone information |
||||
.RE |
||||
.PP |
||||
\fBdefault-ttl\fR |
||||
.RS 4 |
||||
Default TTL value to be used in zone |
||||
.RE |
||||
.PP |
||||
\fBserial\fR |
||||
.RS 4 |
||||
(optional) Program checks this number to be different than SOA serial number. |
||||
.RE |
||||
|
||||
.SH "EXIT STATUS" |
||||
Exits with 0 on success or 1 on failure. |
||||
.SH "SEE ALSO" |
||||
named(8) ldap(3) |
||||
http://www.venaas.no/dns/ldap2zone/ |
||||
.SH "COPYRIGHT" |
||||
Copyright (C) 2004, 2005 Stig Venaas |
@ -0,0 +1,411 @@
@@ -0,0 +1,411 @@
|
||||
/* |
||||
* Copyright (C) 2004, 2005 Stig Venaas <venaas@uninett.no> |
||||
* $Id: ldap2zone.c,v 1.1 2007/07/24 15:18:00 atkac Exp $ |
||||
* |
||||
* Permission to use, copy, modify, and distribute this software for any |
||||
* purpose with or without fee is hereby granted, provided that the above |
||||
* copyright notice and this permission notice appear in all copies. |
||||
*/ |
||||
|
||||
#define LDAP_DEPRECATED 1 |
||||
|
||||
#include <sys/types.h> |
||||
#include <stdio.h> |
||||
#include <stdlib.h> |
||||
#include <ctype.h> |
||||
|
||||
#include <ldap.h> |
||||
|
||||
struct string { |
||||
void *data; |
||||
size_t len; |
||||
}; |
||||
|
||||
struct assstack_entry { |
||||
struct string key; |
||||
struct string val; |
||||
struct assstack_entry *next; |
||||
}; |
||||
|
||||
struct assstack_entry *assstack_find(struct assstack_entry *stack, struct string *key); |
||||
void assstack_push(struct assstack_entry **stack, struct assstack_entry *item); |
||||
void assstack_insertbottom(struct assstack_entry **stack, struct assstack_entry *item); |
||||
void printsoa(struct string *soa); |
||||
void printrrs(char *defaultttl, struct assstack_entry *item); |
||||
void print_zone(char *defaultttl, struct assstack_entry *stack); |
||||
void usage(char *name); |
||||
void err(char *name, const char *msg); |
||||
int putrr(struct assstack_entry **stack, struct berval *name, char *type, char *ttl, struct berval *val); |
||||
|
||||
struct assstack_entry *assstack_find(struct assstack_entry *stack, struct string *key) { |
||||
for (; stack; stack = stack->next) |
||||
if (stack->key.len == key->len && !memcmp(stack->key.data, key->data, key->len)) |
||||
return stack; |
||||
return NULL; |
||||
} |
||||
|
||||
void assstack_push(struct assstack_entry **stack, struct assstack_entry *item) { |
||||
item->next = *stack; |
||||
*stack = item; |
||||
} |
||||
|
||||
void assstack_insertbottom(struct assstack_entry **stack, struct assstack_entry *item) { |
||||
struct assstack_entry *p; |
||||
|
||||
item->next = NULL; |
||||
if (!*stack) { |
||||
*stack = item; |
||||
return; |
||||
} |
||||
/* find end, should keep track of end somewhere */ |
||||
/* really a queue, not a stack */ |
||||
p = *stack; |
||||
while (p->next) |
||||
p = p->next; |
||||
p->next = item; |
||||
} |
||||
|
||||
void printsoa(struct string *soa) { |
||||
char *s; |
||||
size_t i; |
||||
|
||||
s = (char *)soa->data; |
||||
i = 0; |
||||
while (i < soa->len) { |
||||
putchar(s[i]); |
||||
if (s[i++] == ' ') |
||||
break; |
||||
} |
||||
while (i < soa->len) { |
||||
putchar(s[i]); |
||||
if (s[i++] == ' ') |
||||
break; |
||||
} |
||||
printf("(\n\t\t\t\t"); |
||||
while (i < soa->len) { |
||||
putchar(s[i]); |
||||
if (s[i++] == ' ') |
||||
break; |
||||
} |
||||
printf("; Serialnumber\n\t\t\t\t"); |
||||
while (i < soa->len) { |
||||
if (s[i] == ' ') |
||||
break; |
||||
putchar(s[i++]); |
||||
} |
||||
i++; |
||||
printf("\t; Refresh\n\t\t\t\t"); |
||||
while (i < soa->len) { |
||||
if (s[i] == ' ') |
||||
break; |
||||
putchar(s[i++]); |
||||
} |
||||
i++; |
||||
printf("\t; Retry\n\t\t\t\t"); |
||||
while (i < soa->len) { |
||||
if (s[i] == ' ') |
||||
break; |
||||
putchar(s[i++]); |
||||
} |
||||
i++; |
||||
printf("\t; Expire\n\t\t\t\t"); |
||||
while (i < soa->len) { |
||||
putchar(s[i++]); |
||||
} |
||||
printf(" )\t; Minimum TTL\n"); |
||||
} |
||||
|
||||
void printrrs(char *defaultttl, struct assstack_entry *item) { |
||||
struct assstack_entry *stack; |
||||
char *s; |
||||
int first; |
||||
size_t i; |
||||
char *ttl, *type; |
||||
int top; |
||||
|
||||
s = (char *)item->key.data; |
||||
|
||||
if (item->key.len == 1 && *s == '@') { |
||||
top = 1; |
||||
printf("@\t"); |
||||
} else { |
||||
top = 0; |
||||
for (i = 0; i < item->key.len; i++) |
||||
putchar(s[i]); |
||||
if (item->key.len < 8) |
||||
putchar('\t'); |
||||
putchar('\t'); |
||||
} |
||||
|
||||
first = 1; |
||||
for (stack = (struct assstack_entry *) item->val.data; stack; stack = stack->next) { |
||||
ttl = (char *)stack->key.data; |
||||
s = strchr(ttl, ' '); |
||||
*s++ = '\0'; |
||||
type = s; |
||||
|
||||
if (first) |
||||
first = 0; |
||||
else |
||||
printf("\t\t"); |
||||
|
||||
if (strcmp(defaultttl, ttl)) |
||||
printf("%s", ttl); |
||||
putchar('\t'); |
||||
|
||||
if (top) { |
||||
top = 0; |
||||
printf("IN\t%s\t", type); |
||||
/* Should always be SOA here */ |
||||
if (!strcmp(type, "SOA")) { |
||||
printsoa(&stack->val); |
||||
continue; |
||||
} |
||||
} else |
||||
printf("%s\t", type); |
||||
|
||||
s = (char *)stack->val.data; |
||||
for (i = 0; i < stack->val.len; i++) |
||||
putchar(s[i]); |
||||
putchar('\n'); |
||||
} |
||||
} |
||||
|
||||
void print_zone(char *defaultttl, struct assstack_entry *stack) { |
||||
printf("$TTL %s\n", defaultttl); |
||||
for (; stack; stack = stack->next) |
||||
printrrs(defaultttl, stack); |
||||
}; |
||||
|
||||
void usage(char *name) { |
||||
fprintf(stderr, "Usage:%s zone-name LDAP-URL default-ttl [serial]\n", name); |
||||
exit(1); |
||||
}; |
||||
|
||||
void err(char *name, const char *msg) { |
||||
fprintf(stderr, "%s: %s\n", name, msg); |
||||
exit(1); |
||||
}; |
||||
|
||||
int putrr(struct assstack_entry **stack, struct berval *name, char *type, char *ttl, struct berval *val) { |
||||
struct string key; |
||||
struct assstack_entry *rr, *rrdata; |
||||
|
||||
/* Do nothing if name or value have 0 length */ |
||||
if (!name->bv_len || !val->bv_len) |
||||
return 0; |
||||
|
||||
/* see if already have an entry for this name */ |
||||
key.len = name->bv_len; |
||||
key.data = name->bv_val; |
||||
|
||||
rr = assstack_find(*stack, &key); |
||||
if (!rr) { |
||||
/* Not found, create and push new entry */ |
||||
rr = (struct assstack_entry *) malloc(sizeof(struct assstack_entry)); |
||||
if (!rr) |
||||
return -1; |
||||
rr->key.len = name->bv_len; |
||||
rr->key.data = (void *) malloc(rr->key.len); |
||||
if (!rr->key.data) { |
||||
free(rr); |
||||
return -1; |
||||
} |
||||
memcpy(rr->key.data, name->bv_val, name->bv_len); |
||||
rr->val.len = sizeof(void *); |
||||
rr->val.data = NULL; |
||||
if (name->bv_len == 1 && *(char *)name->bv_val == '@') |
||||
assstack_push(stack, rr); |
||||
else |
||||
assstack_insertbottom(stack, rr); |
||||
} |
||||
|
||||
rrdata = (struct assstack_entry *) malloc(sizeof(struct assstack_entry)); |
||||
if (!rrdata) { |
||||
free(rr->key.data); |
||||
free(rr); |
||||
return -1; |
||||
} |
||||
rrdata->key.len = strlen(type) + strlen(ttl) + 1; |
||||
rrdata->key.data = (void *) malloc(rrdata->key.len); |
||||
if (!rrdata->key.data) { |
||||
free(rrdata); |
||||
free(rr->key.data); |
||||
free(rr); |
||||
return -1; |
||||
} |
||||
sprintf((char *)rrdata->key.data, "%s %s", ttl, type); |
||||
|
||||
rrdata->val.len = val->bv_len; |
||||
rrdata->val.data = (void *) malloc(val->bv_len); |
||||
if (!rrdata->val.data) { |
||||
free(rrdata->key.data); |
||||
free(rrdata); |
||||
free(rr->key.data); |
||||
free(rr); |
||||
return -1; |
||||
} |
||||
memcpy(rrdata->val.data, val->bv_val, val->bv_len); |
||||
|
||||
if (!strcmp(type, "SOA")) |
||||
assstack_push((struct assstack_entry **) &(rr->val.data), rrdata); |
||||
else |
||||
assstack_insertbottom((struct assstack_entry **) &(rr->val.data), rrdata); |
||||
return 0; |
||||
} |
||||
|
||||
int main(int argc, char **argv) { |
||||
char *s, *hostporturl, *base = NULL; |
||||
char *ttl, *defaultttl; |
||||
LDAP *ld; |
||||
char *fltr = NULL; |
||||
LDAPMessage *res, *e; |
||||
char *a, **ttlvals, **soavals, *serial; |
||||
struct berval **vals, **names; |
||||
char type[64]; |
||||
BerElement *ptr; |
||||
int i, j, rc, msgid; |
||||
struct assstack_entry *zone = NULL; |
||||
|
||||
if (argc < 4 || argc > 5) |
||||
usage(argv[0]); |
||||
|
||||
hostporturl = argv[2]; |
||||
|
||||
if (hostporturl != strstr( hostporturl, "ldap")) |
||||
err(argv[0], "Not an LDAP URL"); |
||||
|
||||
s = strchr(hostporturl, ':'); |
||||
|
||||
if (!s || strlen(s) < 3 || s[1] != '/' || s[2] != '/') |
||||
err(argv[0], "Not an LDAP URL"); |
||||
|
||||
s = strchr(s+3, '/'); |
||||
if (s) { |
||||
*s++ = '\0'; |
||||
base = s; |
||||
s = strchr(base, '?'); |
||||
if (s) |
||||
err(argv[0], "LDAP URL can only contain host, port and base"); |
||||
} |
||||
|
||||
defaultttl = argv[3]; |
||||
|
||||
rc = ldap_initialize(&ld, hostporturl); |
||||
if (rc != LDAP_SUCCESS) |
||||
err(argv[0], "ldap_initialize() failed"); |
||||
|
||||
if (argc == 5) { |
||||
/* serial number specified, check if different from one in SOA */ |
||||
fltr = (char *)malloc(strlen(argv[1]) + strlen("(&(relativeDomainName=@)(zoneName=))") + 1); |
||||
sprintf(fltr, "(&(relativeDomainName=@)(zoneName=%s))", argv[1]); |
||||
msgid = ldap_search(ld, base, LDAP_SCOPE_SUBTREE, fltr, NULL, 0); |
||||
if (msgid == -1) |
||||
err(argv[0], "ldap_search() failed"); |
||||
|
||||
while ((rc = ldap_result(ld, msgid, 0, NULL, &res)) != LDAP_RES_SEARCH_RESULT ) { |
||||
/* not supporting continuation references at present */ |
||||
if (rc != LDAP_RES_SEARCH_ENTRY) |
||||
err(argv[0], "ldap_result() returned cont.ref? Exiting"); |
||||
|
||||
/* only one entry per result message */ |
||||
e = ldap_first_entry(ld, res); |
||||
if (e == NULL) { |
||||
ldap_msgfree(res); |
||||
err(argv[0], "ldap_first_entry() failed"); |
||||
} |
||||
|
||||
soavals = ldap_get_values(ld, e, "SOARecord"); |
||||
if (soavals) |
||||
break; |
||||
} |
||||
|
||||
ldap_msgfree(res); |
||||
if (!soavals) { |
||||
err(argv[0], "No SOA Record found"); |
||||
} |
||||
|
||||
/* We have a SOA, compare serial numbers */ |
||||
/* Only checkinf first value, should be only one */ |
||||
s = strchr(soavals[0], ' '); |
||||
s++; |
||||
s = strchr(s, ' '); |
||||
s++; |
||||
serial = s; |
||||
s = strchr(s, ' '); |
||||
*s = '\0'; |
||||
if (!strcmp(serial, argv[4])) { |
||||
ldap_value_free(soavals); |
||||
err(argv[0], "serial numbers match"); |
||||
} |
||||
ldap_value_free(soavals); |
||||
} |
||||
|
||||
if (!fltr) |
||||
fltr = (char *)malloc(strlen(argv[1]) + strlen("(zoneName=)") + 1); |
||||
if (!fltr) |
||||
err(argv[0], "Malloc failed"); |
||||
sprintf(fltr, "(zoneName=%s)", argv[1]); |
||||
|
||||
msgid = ldap_search(ld, base, LDAP_SCOPE_SUBTREE, fltr, NULL, 0); |
||||
if (msgid == -1) |
||||
err(argv[0], "ldap_search() failed"); |
||||
|
||||
while ((rc = ldap_result(ld, msgid, 0, NULL, &res)) != LDAP_RES_SEARCH_RESULT ) { |
||||
/* not supporting continuation references at present */ |
||||
if (rc != LDAP_RES_SEARCH_ENTRY) |
||||
err(argv[0], "ldap_result() returned cont.ref? Exiting"); |
||||
|
||||
/* only one entry per result message */ |
||||
e = ldap_first_entry(ld, res); |
||||
if (e == NULL) { |
||||
ldap_msgfree(res); |
||||
err(argv[0], "ldap_first_entry() failed"); |
||||
} |
||||
|
||||
names = ldap_get_values_len(ld, e, "relativeDomainName"); |
||||
if (!names) |
||||
continue; |
||||
|
||||
ttlvals = ldap_get_values(ld, e, "dNSTTL"); |
||||
ttl = ttlvals ? ttlvals[0] : defaultttl; |
||||
|
||||
for (a = ldap_first_attribute(ld, e, &ptr); a != NULL; a = ldap_next_attribute(ld, e, ptr)) { |
||||
char *s; |
||||
|
||||
for (s = a; *s; s++) |
||||
*s = toupper(*s); |
||||
s = strstr(a, "RECORD"); |
||||
if ((s == NULL) || (s == a) || (s - a >= (signed int)sizeof(type))) { |
||||
ldap_memfree(a); |
||||
continue; |
||||
} |
||||
|
||||
strncpy(type, a, s - a); |
||||
type[s - a] = '\0'; |
||||
vals = ldap_get_values_len(ld, e, a); |
||||
if (vals) { |
||||
for (i = 0; vals[i]; i++) |
||||
for (j = 0; names[j]; j++) |
||||
if (putrr(&zone, names[j], type, ttl, vals[i])) |
||||
err(argv[0], "malloc failed"); |
||||
ldap_value_free_len(vals); |
||||
} |
||||
ldap_memfree(a); |
||||
} |
||||
|
||||
if (ptr) |
||||
ber_free(ptr, 0); |
||||
if (ttlvals) |
||||
ldap_value_free(ttlvals); |
||||
ldap_value_free_len(names); |
||||
/* free this result */ |
||||
ldap_msgfree(res); |
||||
} |
||||
|
||||
/* free final result */ |
||||
ldap_msgfree(res); |
||||
|
||||
print_zone(defaultttl, zone); |
||||
return 0; |
||||
} |
@ -0,0 +1,12 @@
@@ -0,0 +1,12 @@
|
||||
[Unit] |
||||
Description=Set-up/destroy chroot environment for named (DNS) |
||||
BindsTo=named-chroot.service |
||||
Wants=named-setup-rndc.service |
||||
After=named-setup-rndc.service |
||||
|
||||
|
||||
[Service] |
||||
Type=oneshot |
||||
RemainAfterExit=yes |
||||
ExecStart=/usr/libexec/setup-named-chroot.sh /var/named/chroot on |
||||
ExecStop=/usr/libexec/setup-named-chroot.sh /var/named/chroot off |
@ -0,0 +1,30 @@
@@ -0,0 +1,30 @@
|
||||
# Don't forget to add "$AddUnixListenSocket /var/named/chroot/dev/log" |
||||
# line to your /etc/rsyslog.conf file. Otherwise your logging becomes |
||||
# broken when rsyslogd daemon is restarted (due update, for example). |
||||
|
||||
[Unit] |
||||
Description=Berkeley Internet Name Domain (DNS) |
||||
Wants=nss-lookup.target |
||||
Requires=named-chroot-setup.service |
||||
Before=nss-lookup.target |
||||
After=network.target |
||||
After=named-chroot-setup.service |
||||
|
||||
[Service] |
||||
Type=forking |
||||
Environment=NAMEDCONF=/etc/named.conf |
||||
EnvironmentFile=-/etc/sysconfig/named |
||||
Environment=KRB5_KTNAME=/etc/named.keytab |
||||
PIDFile=/var/named/chroot/run/named/named.pid |
||||
|
||||
ExecStartPre=/bin/bash -c 'if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -t /var/named/chroot -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi' |
||||
ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} -t /var/named/chroot $OPTIONS |
||||
|
||||
ExecReload=/bin/sh -c '/usr/sbin/rndc reload > /dev/null 2>&1 || /bin/kill -HUP $MAINPID' |
||||
|
||||
ExecStop=/bin/sh -c '/usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID' |
||||
|
||||
PrivateTmp=false |
||||
|
||||
[Install] |
||||
WantedBy=multi-user.target |
@ -0,0 +1,26 @@
@@ -0,0 +1,26 @@
|
||||
[Unit] |
||||
Description=Berkeley Internet Name Domain (DNS) with native PKCS#11 |
||||
Wants=nss-lookup.target |
||||
Wants=named-setup-rndc.service |
||||
Before=nss-lookup.target |
||||
After=network.target |
||||
After=named-setup-rndc.service |
||||
|
||||
[Service] |
||||
Type=forking |
||||
Environment=NAMEDCONF=/etc/named.conf |
||||
EnvironmentFile=-/etc/sysconfig/named |
||||
Environment=KRB5_KTNAME=/etc/named.keytab |
||||
PIDFile=/run/named/named.pid |
||||
|
||||
ExecStartPre=/bin/bash -c 'if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi' |
||||
ExecStart=/usr/sbin/named-pkcs11 -u named -c ${NAMEDCONF} $OPTIONS |
||||
|
||||
ExecReload=/bin/sh -c '/usr/sbin/rndc reload > /dev/null 2>&1 || /bin/kill -HUP $MAINPID' |
||||
|
||||
ExecStop=/bin/sh -c '/usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID' |
||||
|
||||
PrivateTmp=true |
||||
|
||||
[Install] |
||||
WantedBy=multi-user.target |
@ -0,0 +1,12 @@
@@ -0,0 +1,12 @@
|
||||
[Unit] |
||||
Description=Set-up/destroy chroot environment for named-sdb |
||||
BindsTo=named-sdb-chroot.service |
||||
Wants=named-setup-rndc.service |
||||
After=named-setup-rndc.service |
||||
|
||||
|
||||
[Service] |
||||
Type=oneshot |
||||
RemainAfterExit=yes |
||||
ExecStart=/usr/libexec/setup-named-chroot.sh /var/named/chroot_sdb on |
||||
ExecStop=/usr/libexec/setup-named-chroot.sh /var/named/chroot_sdb off |
@ -0,0 +1,30 @@
@@ -0,0 +1,30 @@
|
||||
# Don't forget to add "$AddUnixListenSocket /var/named/chroot_sdb/dev/log" |
||||
# line to your /etc/rsyslog.conf file. Otherwise your logging becomes |
||||
# broken when rsyslogd daemon is restarted (due update, for example). |
||||
|
||||
[Unit] |
||||
Description=Berkeley Internet Name Domain (DNS) |
||||
Wants=nss-lookup.target |
||||
Requires=named-sdb-chroot-setup.service |
||||
Before=nss-lookup.target |
||||
After=network.target |
||||
After=named-sdb-chroot-setup.service |
||||
|
||||
[Service] |
||||
Type=forking |
||||
Environment=NAMEDCONF=/etc/named.conf |
||||
EnvironmentFile=-/etc/sysconfig/named |
||||
Environment=KRB5_KTNAME=/etc/named.keytab |
||||
PIDFile=/var/named/chroot_sdb/run/named/named.pid |
||||
|
||||
ExecStartPre=/bin/bash -c 'if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -t /var/named/chroot_sdb -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi' |
||||
ExecStart=/usr/sbin/named-sdb -u named -c ${NAMEDCONF} -t /var/named/chroot_sdb $OPTIONS |
||||
|
||||
ExecReload=/bin/sh -c '/usr/sbin/rndc reload > /dev/null 2>&1 || /bin/kill -HUP $MAINPID' |
||||
|
||||
ExecStop=/bin/sh -c '/usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID' |
||||
|
||||
PrivateTmp=false |
||||
|
||||
[Install] |
||||
WantedBy=multi-user.target |
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in new issue